- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 29 Jul 2009 08:40:44 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv31546
Modified Files:
Overview.html
Log Message:
Mention the case of a previously-CA-signed-cert page turning into a self-signed-cert page. (whatwg r3495)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2693
retrieving revision 1.2694
diff -u -d -r1.2693 -r1.2694
--- Overview.html 29 Jul 2009 08:04:16 -0000 1.2693
+++ Overview.html 29 Jul 2009 08:40:41 -0000 1.2694
@@ -4494,6 +4494,11 @@
erroneous certificates or must act as if such resources were in fact
served with no encryption.</p>
+ <p>User agents should warn the user that there is a potential
+ problem whenever the user visits a page that the user has previously
+ visited, if the page uses less secure encryption on the second
+ visit.</p>
+
<p>Not doing so can result in users not noticing man-in-the-middle
attacks.</p>
@@ -4515,6 +4520,12 @@
from a different host and only apply man-in-the-middle attacks to
that host, for example taking over scripts in the page.</p>
+ <p>If a user bookmarks a site that uses a CA-signed certificate,
+ and then later revisits that site directly but the site has started
+ using a self-signed certificate, the user agent could warn the user
+ that a man-in-the-middle attack is likely underway, instead of
+ simply acting as if the page was not encrypted.</p>
+
</div>
Received on Wednesday, 29 July 2009 08:40:53 UTC