Re: Draft finding - "Transitioning the Web to HTTPS"

On 12/10/2014 12:31 PM, Domenic Denicola wrote:
> From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
>
>> Firstly, HTTP isnt always insecure, it can be, but is not always
>
> HTTP is always insecure by definition. The insecure transport is not
> always being *attacked*, but you have literally no way of knowing
> whether you're being attacked or not, so for all practical purposes
> you must always assume an attack.

I'll make an assertion, an observation, and a recommendation.

I'll assert that 'http://localhost:8088/' is secure.  More precisely, if 
that can't be secured, then one needs to give up all hope.  I'd suggest 
that a web server on a camera connected via USB to a desktop is another 
such scenario.

I'll observe that the current draft finding, as currently written, seems 
to be provoking peoples desire to present the "other side".

I'll recommend that future TAG drafts attempt to preemptively document 
the other side; i.e., attempt to capture and exhaustively enumerate the 
the precious few times when http is secure enough.

- Sam Ruby

Received on Wednesday, 10 December 2014 18:28:36 UTC