- From: poot <cvsmail@w3.org>
- Date: Wed, 29 Jul 2009 17:41:01 +0900 (JST)
- To: public-html-diffs@w3.org
hixie: Mention the case of a previously-CA-signed-cert page turning into
a self-signed-cert page. (whatwg r3495)
http://dev.w3.org/cvsweb/html5/spec/Overview.html?r1=1.2693&r2=1.2694&f=h
http://html5.org/tools/web-apps-tracker?from=3494&to=3495
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.2693
retrieving revision 1.2694
diff -u -d -r1.2693 -r1.2694
--- Overview.html 29 Jul 2009 08:04:16 -0000 1.2693
+++ Overview.html 29 Jul 2009 08:40:41 -0000 1.2694
@@ -4494,6 +4494,11 @@
erroneous certificates or must act as if such resources were in fact
served with no encryption.</p>
+ <p>User agents should warn the user that there is a potential
+ problem whenever the user visits a page that the user has previously
+ visited, if the page uses less secure encryption on the second
+ visit.</p>
+
<p>Not doing so can result in users not noticing man-in-the-middle
attacks.</p>
@@ -4515,6 +4520,12 @@
from a different host and only apply man-in-the-middle attacks to
that host, for example taking over scripts in the page.</p>
+ <p>If a user bookmarks a site that uses a CA-signed certificate,
+ and then later revisits that site directly but the site has started
+ using a self-signed certificate, the user agent could warn the user
+ that a man-in-the-middle attack is likely underway, instead of
+ simply acting as if the page was not encrypted.</p>
+
</div>
Received on Wednesday, 29 July 2009 08:41:38 UTC