Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

On Sat, Dec 20, 2014 at 11:04 AM, Eric J. Bowman <> wrote:
> The problem as I see it, is that the debate is between no-auth HTTP and
> HTTPS -- with no discussion of HTTP Digest and how it may be improved to
> solve the problems HTTPS purports to, without the drawbacks as I see
> them.

It seems like you are confusing user authentication with domain
authentication. Without HTTPS the attacker controls *all* bytes to and
from the user. There's no way to get authenticated transport to a
given domain.


Received on Saturday, 20 December 2014 11:39:34 UTC