- From: David I. Lehn <dil@lehn.org>
- Date: Fri, 25 Jan 2013 10:08:55 -0500
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: Web Payments <public-webpayments@w3.org>
On Fri, Jan 25, 2013 at 9:12 AM, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > Apologies if this has come up before, but I am wondering if there is a > possible MITM attack surface where payswarm vocabs are under http, rather > than, https. > > Is this a concern at all? This was brought up at Digital Bazaar and maybe made it on the telecons. We haven't thought through all the details yet but I think there could be an issue. Maybe something with reversing the source and destination? I imagine it would be a challenging attack to pull off in practice. The main reason we are using http://purl.org/payswarm/v1 right now is that purl.org doesn't support https. Or at least they didn't last time we checked. Manu, do you know about this? I'm not sure what the best solution is. We could stop using purl.org until they are fixed but we'd lose the benefits of their redirection service. Or we could come up with some other tricks like adding a @context hash property so you can verify you are processing with the proper data. Other suggestions? -dave
Received on Friday, 25 January 2013 15:09:27 UTC