W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: The futile war between Native and Web

From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 19 Feb 2015 12:10:19 -0500
Message-ID: <CAH8yC8k0ZpFhhA10SWKP3RL5Fw2vRHJ_JbTw6yWoWN1ZYs2gLQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: public-webapps WG <public-webapps@w3.org>
On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Sun, Feb 15, 2015 at 10:59 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>> For the first point, Pinning with Overrides
>> (tools.ietf.org/html/draft-ietf-websec-key-pinning) is a perfect
>> example of the wrong security model. The organizations I work with did
>> not drink the Web 2.0 koolaide, its its not acceptable to them that an
>> adversary can so easily break the secure channel.
>
> What would you suggest instead?

Sorry to dig up an old thread.

Here's yet another failure that Public Key Pinning should have
stopped, but the browser's rendition of HPKP could not stop because of
the broken security model:
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/.

Jeff
Received on Thursday, 19 February 2015 17:10:47 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC