On Mon, Dec 15, 2014 at 4:10 PM, <ferdy.christant@gmail.com> wrote: > > "If someone thinks their users are OK with their website not having > integrity/authentication/privacy" > > That is an assumption that doesn't apply to every website. Many websites > don't even have authentication. > I think there may be some confusion. "Authentication" here does not refer to "Does the user authenticate themselves to the site" (e.g. do they log in), but "Is the site you're talking to the site you the site you expected" (or, put differently, "Does the server authenticate itself to the user"). Without authentication in this sense (e.g. talking to whom you think you're talking to), anyone can trivially impersonate a server and alter the responses. This is not that hard, a few examples for you about why authentication is important, even for sites without logins: http://newstweek.com/ http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/ http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/ This is why it's important to know you're talking to the site you're expecting (Authentication), and that no one has modified that site's contents (Integrity).
Received on Tuesday, 16 December 2014 00:19:27 UTC