Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

Anne van Kesteren wrote:
>
> Eric J. Bowman wrote:
>
> > The problem as I see it, is that the debate is between no-auth HTTP
> > and HTTPS -- with no discussion of HTTP Digest and how it may be
> > improved to solve the problems HTTPS purports to, without the
> > drawbacks as I see them.
> 
> It seems like you are confusing user authentication with domain
> authentication.
>

I assure you I'm not.

>
> Without HTTPS the attacker controls *all* bytes to and from the user.
> There's no way to get authenticated transport to a given domain.
> 

Even with HTTPS, I have no way of knowing whether or not the content
that the user sees, is the content I expect them to see, and vice-versa.

-Eric

Received on Tuesday, 30 December 2014 19:46:11 UTC