- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Mon, 22 Jan 2007 10:12:14 -0500
- To: "George Staikos" <staikos@kde.org>, "W3 Work Group" <public-wsc-wg@w3.org>
Cert problems and complexity - Is this why many sites are just using http for the splash page and only encrypting credentials? We had a long list of sites using http with credentials that had a padlock. Many of these sites were banking or other high value sites that only used http noting that the credentials were secure. Hope that this direction is not a trend. Bill D. wdoyle@mitre.org -----Original Message----- From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] On Behalf Of George Staikos Sent: Sunday, January 21, 2007 10:21 PM To: W3 Work Group Subject: Re: use case: TLS Man in the Middle (ACTION-73) www.usair.com was pushing out the certificate for www.usairways.com this weekend. If high-profile sites like this are screwing up this badly, perhaps we need to take action on the UA side. I really feel comfortable with the idea of completely blocking access to sites with misconfigured certificates like this. Unfortunately it's another case of "we have to break all the browsers simultaneously". On 9-Jan-07, at 11:50 AM, Thomas Roessler wrote: > > Another in the "specific interactions" department. > > Alice tries to connect to a web site at <https://www.example.com/>. > Her user agent's TLS implementation detects that the domain name > present in the certificate differs from www.example.com. > > Regards, > -- > Thomas Roessler, W3C <tlr@w3.org> > -- George Staikos KDE Developer http://www.kde.org/ Staikos Computing Services Inc. http://www.staikos.net/
Received on Monday, 22 January 2007 15:12:33 UTC