- From: Chris Palmer <palmer@google.com>
- Date: Fri, 22 Aug 2014 13:31:18 -0700
- To: John Kemp <john@jkemp.net>
- Cc: Jeffrey Yasskin <jyasskin@google.com>, Adam Langley <agl@google.com>, "Eduardo' Vela" <evn@google.com>, Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Fri, Aug 22, 2014 at 12:44 PM, John Kemp <john@jkemp.net> wrote: > What can a browser tell you > about an essentially unknown web server? It can tell you whether or not the server's cryptographic identity was vouched-for in public by a known trusted third party. (Certificate Transparency.) It can tell you whether or not the identity is computationally infeasible to forge. (Run-time checks on the negotiated cryptographic parameters and the key material.) It can tell you whether or not the identity is in a small set of previously-known-good key <-> DNS name mappings. (Key pinning, including pre-loaded key pinning.) It can tell you whether or not the server refers to resources and code that are also authenticated. (Mixed-mode content checking.) If that's not good enough for you, well, I'm sorry. It's the state of the art in 2014. If you have some ideas to advance the state of the art, we'd all love to hear them. If your point is that the state of the art will never be good enough to satisfy you, then I'll stop responding. I'm not interested in security nihilism.
Received on Friday, 22 August 2014 20:31:46 UTC