- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Mon, 17 May 2010 14:34:03 -0700
- To: Henrik Nordström <henrik@henriknordstrom.net>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
> What I do not get is why this is addressed at the HTTP level. My first > reaction is that this belongs at either the SSL or DNS layers, not HTTP. > > SSL by atting a suitable attribute to certificate. This would make it difficult to enroll (requiring changing all certs). > DNS by adding a DNS record stating the site policy, similar to as has > been done for SMTP and other protocols for similar policy purposes. This is vulnerable to two attacks: 1) On first visit, active attackers may just hide this from the recipient, 2) Perhaps more importantly, as you note, this is vulnerable to blind, long-lived DoS if the entry is spoofed and then cached by the browser when the target site is not, in fact, SSL-enabled. The first part is true also in the current model, if the user first navigates to http://, rather than https://; but at least, it gives you some choice. The second attack is much harder for TCP than it is for DNS over UDP. /mz
Received on Monday, 17 May 2010 21:34:44 UTC