On 12/10/2014 12:31 PM, Domenic Denicola wrote: > From: Melvin Carvalho [mailto:melvincarvalho@gmail.com] > >> Firstly, HTTP isnt always insecure, it can be, but is not always > > HTTP is always insecure by definition. The insecure transport is not > always being *attacked*, but you have literally no way of knowing > whether you're being attacked or not, so for all practical purposes > you must always assume an attack. I'll make an assertion, an observation, and a recommendation. I'll assert that 'http://localhost:8088/' is secure. More precisely, if that can't be secured, then one needs to give up all hope. I'd suggest that a web server on a camera connected via USB to a desktop is another such scenario. I'll observe that the current draft finding, as currently written, seems to be provoking peoples desire to present the "other side". I'll recommend that future TAG drafts attempt to preemptively document the other side; i.e., attempt to capture and exhaustively enumerate the the precious few times when http is secure enough. - Sam RubyReceived on Wednesday, 10 December 2014 18:28:36 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC