- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 11 Sep 2012 19:46:06 +0200
- To: public-webid <public-webid@w3.org>
- Message-ID: <CAKaEYhK6sNq9UMxq_+WLSsQmeJ_cpEfqbM9c7frONLfswT4QPw@mail.gmail.com>
---------- Forwarded message ----------
From: Mike Jones <Michael.Jones@microsoft.com>
Date: 11 September 2012 19:43
Subject: [apps-discuss] WebFinger should be HTTPS only
To: "apps-discuss@ietf.org" <apps-discuss@ietf.org>
Having looked at the WebFinger specification a bit more, I recently
realized that it currently does not require TLS to be used. Section 5.1 -
Performing a WebFinger Query – currently begins “The first step a client
must perform in executing a WebFinger query is to query for the host
metadata using HTTPS or HTTP”. This concerns me, since this may enable
classes of phishing attacks in some situations.****
** **
I would therefore request that the specification be updated to prohibit
non-TLS connections.****
** **
Thank you,****
-- Mike****
** **
_______________________________________________
apps-discuss mailing list
apps-discuss@ietf.org
https://www.ietf.org/mailman/listinfo/apps-discuss
Received on Tuesday, 11 September 2012 17:46:35 UTC