W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2014

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Sat, 20 Dec 2014 12:39:05 +0100
Message-ID: <CADnb78hkM4YpmFek4oZ2G2o8rn7+J7tWS8YDSgkh7X_9UGvcNQ@mail.gmail.com>
To: "Eric J. Bowman" <eric@bisonsystems.net>
Cc: Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
On Sat, Dec 20, 2014 at 11:04 AM, Eric J. Bowman <eric@bisonsystems.net> wrote:
> The problem as I see it, is that the debate is between no-auth HTTP and
> HTTPS -- with no discussion of HTTP Digest and how it may be improved to
> solve the problems HTTPS purports to, without the drawbacks as I see
> them.

It seems like you are confusing user authentication with domain
authentication. Without HTTPS the attacker controls *all* bytes to and
from the user. There's no way to get authenticated transport to a
given domain.

Received on Saturday, 20 December 2014 11:39:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:28 UTC