- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 25 Oct 2011 22:32:31 +0000 (UTC)
- To: Glenn Maynard <glenn@zewt.org>
- cc: Tobias Oberstein <tobias.oberstein@tavendo.de>, Simon Pieters <simonp@opera.com>, "public-webapps@w3.org" <public-webapps@w3.org>
On Tue, 25 Oct 2011, Glenn Maynard wrote: > On Tue, Oct 25, 2011 at 5:59 PM, Ian Hickson <ian@hixie.ch> wrote: > > > > That only makes sense if passive attack is significantly easier than > > active attack, which it is not. > > Passive attacks are significantly easier to do without any risk of > discovery, especially on a large scale. Sure, there are specific cases where one is easier than the other. There are also specific cases where it's easier to just send malware to the user than attempt a passive attack. That doesn't mean that we should just protect against malware and pretend that a passive attack is not a problem, just like we shouldn't pretend that active attacks are not a significant risk and thus should allow self-signed certs. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 25 October 2011 22:37:27 UTC