Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http] from Martin Thomson on 2016-08-08 (ietf-http-wg@w3.org from July to September 2016)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Mon, 8 Aug 2016 12:17:26 +1000
To: Adrien de Croy <adrien@qbik.com>
Cc: Amos Jeffries <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CABkgnnVpYiB39cfYhXFYrn_C3n_yktNM8ms7FsZj5LzzevQVEQ@mail.gmail.com>

On 8 August 2016 at 12:05, Adrien de Croy <adrien@qbik.com> wrote:
> It's kinda crazy that browsers, which are supposedly so security-conscious
> are still happy to download and evaluate javascript from some source they
> don't really verify (e.g. result of DNS lookup for WPAD or DHCP option 252).

I'm fairly sure that no browser wants to do that.  The alternative
must be worse though.

Received on Monday, 8 August 2016 02:41:57 UTC