W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 18 Dec 2014 18:07:08 -0500
Message-ID: <54935E1C.9060605@fifthhorseman.net>
To: michael.martinez@xenite.org, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev@chromium.org
On 12/18/2014 05:55 PM, Michael Martinez wrote:
> No it doesn't need a certificate.  A MITM can be executed through a
> compromised or rogue router.  It's simple enough to set up a public
> network in  well-known wifi hotspots and attract unwitting users. Then
> the HTTPS doesn't protect anyone's transmission from anything as the
> router forms the other end of the secure connection and initiates its
> own secure connection with the user's intended destination (either the
> site they are trying to get to or whatever site the bad guys want them
> to visit).

It sounds like you're saying that browsers don't verify the X.509
certificate presented by the https origin server, or at least that they
don't verify that the hostname matches.

This is a serious and extraordinary claim.  Please provide evidence for it.


Received on Thursday, 18 December 2014 23:07:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC