W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2015

Re: The futile war between Native and Web

From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 19 Feb 2015 12:21:22 -0500
Message-ID: <CAH8yC8kzfhBESNfQW2Y2424P15T4pR+1xGpPhJZsaa4deAYdMQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: public-webapps WG <public-webapps@w3.org>
On Thu, Feb 19, 2015 at 12:15 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
> On Thu, Feb 19, 2015 at 6:10 PM, Jeffrey Walton <noloader@gmail.com> wrote:
>> On Mon, Feb 16, 2015 at 3:34 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>> What would you suggest instead?
>>
>> Sorry to dig up an old thread.
>>
>> Here's yet another failure that Public Key Pinning should have
>> stopped, but the browser's rendition of HPKP could not stop because of
>> the broken security model:
>> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/.
>
> That does not really answer my questions though.
>
Good point.

Stop letting externalities control critical security parameters
unmolested since an externality is not the origin nor the the user.

HPKP has a reporting mode, but a broken pinset is a MUST NOT report.
Broken pinsets should be reported to the user and the origin so the
browser is no longer complicit in covering up for the attacker.

Jeff
Received on Thursday, 19 February 2015 17:21:52 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:27:25 UTC