Re: Proposal: Marking HTTP As Non-Secure from Daniel Kahn Gillmor on 2014-12-18 (public-webappsec@w3.org from December 2014)

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 18 Dec 2014 18:57:45 -0500
To: michael.martinez@xenite.org, public-webappsec@w3.org, security-dev@chromium.org, mozilla-dev-security@lists.mozilla.org, blink-dev@chromium.org
Message-ID: <549369F9.4070208@fifthhorseman.net>

On 12/18/2014 06:46 PM, Michael Martinez wrote:
> No, what I am saying is that you can bypass the certificate for a MITM
> attack via a new technique that was published earlier this year.

Links, please.

> If you
> compromise someone else's router you can control it from your own nearby
> router.  The compromised router with the valid certificate sends the
> user through whatever gateway you specify.

You seem to be saying now that the attacker does need a valid
certificate; earlier you claimed no certificate was needed.

I'm sure everyone agrees that the dominant X.509 certificate issuance
process and auditability can be improved, but it's not trivial to get a
fake cert automatically.

The fact that HTTPS is not 100% perfect does not mean that HTTP is
somehow secure.

You sound very concerned about MITM attacks.  I am too.

Compared to HTTPS, HTTP is *trivially* vulnerable to MITM attacks.
Shouldn't we visibly mark HTTP connections as insecure?

 --dkg

Received on Thursday, 18 December 2014 23:58:09 UTC