Re: Proposal: Marking HTTP As Non-Secure

On 12/18/2014 06:46 PM, Michael Martinez wrote:
> No, what I am saying is that you can bypass the certificate for a MITM
> attack via a new technique that was published earlier this year.

Links, please.

> If you
> compromise someone else's router you can control it from your own nearby
> router.  The compromised router with the valid certificate sends the
> user through whatever gateway you specify.

You seem to be saying now that the attacker does need a valid
certificate; earlier you claimed no certificate was needed.

I'm sure everyone agrees that the dominant X.509 certificate issuance
process and auditability can be improved, but it's not trivial to get a
fake cert automatically.

The fact that HTTPS is not 100% perfect does not mean that HTTP is
somehow secure.

You sound very concerned about MITM attacks.  I am too.

Compared to HTTPS, HTTP is *trivially* vulnerable to MITM attacks.
Shouldn't we visibly mark HTTP connections as insecure?


Received on Thursday, 18 December 2014 23:58:09 UTC