Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine] from Florian Bösch on 2015-12-01 (public-webappsec@w3.org from December 2015)

From: Florian Bösch <pyalot@gmail.com>
Date: Tue, 1 Dec 2015 03:25:28 +0100
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Aymeric Vitte <vitteaymeric@gmail.com>, Brad Hill <hillbrad@gmail.com>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOK8ODjc_o8+XTuRHr8EoFAvnDw0gK-sAk6ibN7cwffJAhvWbQ@mail.gmail.com>

On Mon, Nov 30, 2015 at 10:45 PM, Richard Barnes <rbarnes@mozilla.com>
wrote:

> 1. Authentication: You know that you're talking to who you think you're
> talking to.
>

And then Dell installs a their own root authority on machines they ship, or
your CA of choice gets pwn'ed or the NSA uses some undisclosed backdoor in
the EC they managed to smuggle into the constants, or somebody combines a
DNS poison/grab with a non verified (because piss poor CA) double
certificate, or you hit one of the myriad of bugs that've plaqued TLS
implementations (particularly certain large and complex ones that're
basically one big ball of gnud which shall remain unnamed).

Received on Tuesday, 1 December 2015 02:26:01 UTC