W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Yves Lafon <ylafon@w3.org>
Date: Wed, 17 Dec 2014 05:13:02 -0500 (EST)
To: Martin Thomson <martin.thomson@gmail.com>
cc: Sam Ruby <rubys@intertwingly.net>, www-tag@w3.org
Message-ID: <alpine.DEB.2.00.1412170508430.1654@wnl.j3.bet>
On Mon, 15 Dec 2014, Martin Thomson wrote:

> On 15 December 2014 at 08:11, Yves Lafon <ylafon@w3.org> wrote:
>> I agree for localhost (if running on a privileged port)
>
> Define "privileged port".  That's harder than it sounds, I'll bet.

Hum... indeed, let's say a local server run by a privileged (aka 
trusted) user.

> I've always thought that it's probably OK to consider the threat model
> to only include attackers that are remote, in this case.  I don't know
> if we've ever really considered the threat model on the inside of a
> machine.  Is that something we really need to consider?  Can the USB
> device influence what is on loopback?

As a USB device communicate using a specific protocol, the threar can be 
seen as remote. Plugging something in a usb port is easy, plugging 
something in a sata port is a bit more difficult.

-- 
Baroula que barouleras, au tiƩu toujou t'entourneras.

         ~~Yves
Received on Wednesday, 17 December 2014 10:13:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC