- From: Sam Ruby <rubys@intertwingly.net>
- Date: Wed, 10 Dec 2014 13:28:08 -0500
- To: www-tag@w3.org
On 12/10/2014 12:31 PM, Domenic Denicola wrote: > From: Melvin Carvalho [mailto:melvincarvalho@gmail.com] > >> Firstly, HTTP isnt always insecure, it can be, but is not always > > HTTP is always insecure by definition. The insecure transport is not > always being *attacked*, but you have literally no way of knowing > whether you're being attacked or not, so for all practical purposes > you must always assume an attack. I'll make an assertion, an observation, and a recommendation. I'll assert that 'http://localhost:8088/' is secure. More precisely, if that can't be secured, then one needs to give up all hope. I'd suggest that a web server on a camera connected via USB to a desktop is another such scenario. I'll observe that the current draft finding, as currently written, seems to be provoking peoples desire to present the "other side". I'll recommend that future TAG drafts attempt to preemptively document the other side; i.e., attempt to capture and exhaustively enumerate the the precious few times when http is secure enough. - Sam Ruby
Received on Wednesday, 10 December 2014 18:28:36 UTC