Re: Proposal: Marking HTTP As Non-Secure

On 12/18/2014 05:55 PM, Michael Martinez wrote:
> No it doesn't need a certificate.  A MITM can be executed through a
> compromised or rogue router.  It's simple enough to set up a public
> network in  well-known wifi hotspots and attract unwitting users. Then
> the HTTPS doesn't protect anyone's transmission from anything as the
> router forms the other end of the secure connection and initiates its
> own secure connection with the user's intended destination (either the
> site they are trying to get to or whatever site the bad guys want them
> to visit).

It sounds like you're saying that browsers don't verify the X.509
certificate presented by the https origin server, or at least that they
don't verify that the hostname matches.

This is a serious and extraordinary claim.  Please provide evidence for it.

 --dkg

Received on Thursday, 18 December 2014 23:07:40 UTC