W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2014

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Tue, 30 Dec 2014 19:12:33 -0700
To: Chris Palmer <palmer@google.com>
Cc: "henry.story@bblfish.net" <henry.story@bblfish.net>, Marc Fawzi <marc.fawzi@gmail.com>, Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <20141230191233.a04581c1a751f313c2f51dc7@bisonsystems.net>
Chris Palmer wrote:
> 
> TLS does have an end-to-end (client to front-end server) integrity
> checking mechanism.
> 

Unless there's a proxy (security appliance, etc.) involved, excluding
the user-agent from the integrity check. What's needed is an integrity
check which is end-to-end from origin server to user agent; could be a
script, the purpose of which would be to alert the site owner and the
end user to the presence of altered content, even if that content was
altered by a "trusted" proxy.

-Eric
Received on Wednesday, 31 December 2014 02:12:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:28 UTC