- From: Richard Smith <richard@ex-parrot.com>
- Date: Fri, 7 Jul 2017 23:35:28 +0100 (BST)
- To: semantic-web@w3.org
- cc: Harry Halpin <hhalpin@ibiblio.org>
Harry Halpin wrote: > The answer should be yes. Just to clarify: is that the answer to "Should I use https: IRIs"? Or to "Is there some other consideration I'm missing"? > There is no perfectly safe way of upgrading from HTTP to > HTTPS without cert pinning as well. Do you mean public key pinning (HPKP [1])? I certainly agree that needs to be part of the recipe for securing HTTPS. But I would think that HTTPS without HPKP was still better than plain HTTP. To compromise HTTPS without HPKP you need to both stage a MITM attack and fradulently obtain a certificate from a trusted CA, whereas to compromise plain HTTP you need only stage a MITM attack. I accept that if you're in a position to stage a MITM, it's relatively easy to circumvent most CA's verification measures, but it's one further thing an attacker has to do. In any case, HPKP isn't a perfect solution for the same reason HSTS isn't: it only protects you after your first visit, and assumes your client store the key hash. Most browsers do support HPKP and HSTS, but I'm not sure that many HTTP libraries do. This would be mitigated if the equivalent of HPKP and HSTS headers were also found in DNS, and were secured using DNSSEC. > I have a detailed analysis of this as regards RDF that I > can share soon (it's under review) I'll look forward to it. Richard [1] https://tools.ietf.org/html/rfc7469
Received on Friday, 7 July 2017 22:38:35 UTC