W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2015

Re: WS/Service Workers, TLS and future apps - [was Re: HTTP is just fine]

From: Florian Bösch <pyalot@gmail.com>
Date: Tue, 1 Dec 2015 03:25:28 +0100
Message-ID: <CAOK8ODjc_o8+XTuRHr8EoFAvnDw0gK-sAk6ibN7cwffJAhvWbQ@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Aymeric Vitte <vitteaymeric@gmail.com>, Brad Hill <hillbrad@gmail.com>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 30, 2015 at 10:45 PM, Richard Barnes <rbarnes@mozilla.com>
wrote:

> 1. Authentication: You know that you're talking to who you think you're
> talking to.
>

And then Dell installs a their own root authority on machines they ship, or
your CA of choice gets pwn'ed or the NSA uses some undisclosed backdoor in
the EC they managed to smuggle into the constants, or somebody combines a
DNS poison/grab with a non verified (because piss poor CA) double
certificate, or you hit one of the myriad of bugs that've plaqued TLS
implementations (particularly certain large and complex ones that're
basically one big ball of gnud which shall remain unnamed).
Received on Tuesday, 1 December 2015 02:26:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC