- From: Eric J. Bowman <eric@bisonsystems.net>
- Date: Tue, 30 Dec 2014 12:45:54 -0700
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Anne van Kesteren wrote: > > Eric J. Bowman wrote: > > > The problem as I see it, is that the debate is between no-auth HTTP > > and HTTPS -- with no discussion of HTTP Digest and how it may be > > improved to solve the problems HTTPS purports to, without the > > drawbacks as I see them. > > It seems like you are confusing user authentication with domain > authentication. > I assure you I'm not. > > Without HTTPS the attacker controls *all* bytes to and from the user. > There's no way to get authenticated transport to a given domain. > Even with HTTPS, I have no way of knowing whether or not the content that the user sees, is the content I expect them to see, and vice-versa. -Eric
Received on Tuesday, 30 December 2014 19:46:09 UTC