- From: Anne van Kesteren <annevk@opera.com>
- Date: Fri, 09 Dec 2011 13:59:13 +0100
- To: "Adam Barth" <w3c@adambarth.com>, "Eric Rescorla" <ekr@rtfm.com>
- Cc: "Jonas Sicking" <jonas@sicking.cc>, "Wenbo Zhu" <wenboz@google.com>, public-webapps@w3.org, "Ian Hickson" <ian@hixie.ch>
On Fri, 09 Dec 2011 02:13:50 +0100, Eric Rescorla <ekr@rtfm.com> wrote: > On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth <w3c@adambarth.com> wrote: >> Whatever spec we end up going with should note in its security >> consideration that the user agent must implement TLS 1.2 or greater to >> avoid this attack. > > I believe it's actually TLS 1.1, since the relevant feature is > explicit IVs. Or you could allow RC4, I guess. Are you saying that if responseType is set to "stream" and the server only supports TLS 1.0 the connection should fail, but if it is greater than that it is okay? Same-origin requests are always okay? (Though it seems we should just require TLS 1.1 there too then to not make matters too confusing.) -- Anne van Kesteren http://annevankesteren.nl/
Received on Friday, 9 December 2011 12:59:59 UTC