- From: Yves Lafon <ylafon@w3.org>
- Date: Mon, 15 Dec 2014 11:11:48 -0500 (EST)
- To: Sam Ruby <rubys@intertwingly.net>
- cc: www-tag@w3.org
On Wed, 10 Dec 2014, Sam Ruby wrote:
> On 12/10/2014 12:31 PM, Domenic Denicola wrote:
>> From: Melvin Carvalho [mailto:melvincarvalho@gmail.com]
>>
>>> Firstly, HTTP isnt always insecure, it can be, but is not always
>>
>> HTTP is always insecure by definition. The insecure transport is not
>> always being *attacked*, but you have literally no way of knowing
>> whether you're being attacked or not, so for all practical purposes
>> you must always assume an attack.
>
> I'll make an assertion, an observation, and a recommendation.
>
> I'll assert that 'http://localhost:8088/' is secure. More precisely, if that
> can't be secured, then one needs to give up all hope. I'd suggest that a web
> server on a camera connected via USB to a desktop is another such scenario.
I agree for localhost (if running on a privileged port), but for USB,
anything you plug is by definition insecure. See
<http://travisgoodspeed.blogspot.fr/2012/10/emulating-usb-dfu-to-capture-firmware.html>
for example.
--
Baroula que barouleras, au tiƩu toujou t'entourneras.
~~Yves
Received on Monday, 15 December 2014 16:11:49 UTC