- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 20 Dec 2014 12:39:05 +0100
- To: "Eric J. Bowman" <eric@bisonsystems.net>
- Cc: Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
On Sat, Dec 20, 2014 at 11:04 AM, Eric J. Bowman <eric@bisonsystems.net> wrote: > The problem as I see it, is that the debate is between no-auth HTTP and > HTTPS -- with no discussion of HTTP Digest and how it may be improved to > solve the problems HTTPS purports to, without the drawbacks as I see > them. It seems like you are confusing user authentication with domain authentication. Without HTTPS the attacker controls *all* bytes to and from the user. There's no way to get authenticated transport to a given domain. -- https://annevankesteren.nl/
Received on Saturday, 20 December 2014 11:39:34 UTC