Re: AW: AW: AW: WebSocket API: close and error events

On Tue, 25 Oct 2011, Glenn Maynard wrote:
> On Tue, Oct 25, 2011 at 5:59 PM, Ian Hickson <ian@hixie.ch> wrote:
> >
> > That only makes sense if passive attack is significantly easier than 
> > active attack, which it is not.
> 
> Passive attacks are significantly easier to do without any risk of 
> discovery, especially on a large scale.

Sure, there are specific cases where one is easier than the other. There 
are also specific cases where it's easier to just send malware to the user 
than attempt a passive attack. That doesn't mean that we should just 
protect against malware and pretend that a passive attack is not a 
problem, just like we shouldn't pretend that active attacks are not a 
significant risk and thus should allow self-signed certs.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 25 October 2011 22:37:27 UTC