- From: <bugzilla@jessica.w3.org>
- Date: Wed, 09 Mar 2011 17:40:42 +0000
- To: public-webapps@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=12272 Summary: Improve section on DNS spoofing attacks to address user attacks Product: WebAppsWG Version: unspecified Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Web Storage (editor: Ian Hickson) AssignedTo: ian@hixie.ch ReportedBy: watsonm@netflix.com QAContact: member-webapi-cvs@w3.org CC: ian@hixie.ch, mike@w3.org, public-webapps@w3.org Section 7.1 on DNS spoofing attacks states: "Pages using TLS can be sure that only pages using TLS that have certificates identifying them as being from the same domain can access their storage areas." We could add "This protects against DNS spoofing attacks which do not involve the user. However, if the user is involved in the attack this protection can be circumvented by the user installing root certificates for fake certification authorities and then creating site certificates to be used in conjunction with DNS spoofing. Therefore a web page author cannot be sure that the information stored in web storage has not been viewed or modified by or on behalf of the user." i.e. page authors should be aware that even with TLS information inside web storage can be viewed and modified by or on behalf of the user. -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
Received on Wednesday, 9 March 2011 17:40:44 UTC