- From: Norbert Bollow <nb@bollow.ch>
- Date: Thu, 18 Apr 2013 18:31:26 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Web Payments CG <public-webpayments@w3.org>
Manu Sporny <msporny@digitalbazaar.com> wrote: > The attack is only possible if a message is passed over a non-secure > channel, right? That is, the spec is clear about passing all messages > over HTTPS. Granted, that's not an excuse for the approach taken and > it should be fixed, but the attack is only possible if messages are > sent over an insecure channel, correct? Saying "use HTTPS!" does not assure having a channel that is secure in every respect. Trustworthy security requires careful arguments based on specific security properties. Greetings, Norbert
Received on Friday, 19 April 2013 08:00:14 UTC