W3C home > Mailing lists > Public > www-tag@w3.org > December 2014

Re: Fwd (TAG): Draft finding - "Transitioning the Web to HTTPS"

From: Eric J. Bowman <eric@bisonsystems.net>
Date: Tue, 30 Dec 2014 12:45:54 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Nick Doty <npdoty@w3.org>, David Singer <singer@apple.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <20141230124554.53766c02e45bcb2bc9c720f4@bisonsystems.net>
Anne van Kesteren wrote:
>
> Eric J. Bowman wrote:
>
> > The problem as I see it, is that the debate is between no-auth HTTP
> > and HTTPS -- with no discussion of HTTP Digest and how it may be
> > improved to solve the problems HTTPS purports to, without the
> > drawbacks as I see them.
> 
> It seems like you are confusing user authentication with domain
> authentication.
>

I assure you I'm not.

>
> Without HTTPS the attacker controls *all* bytes to and from the user.
> There's no way to get authenticated transport to a given domain.
> 

Even with HTTPS, I have no way of knowing whether or not the content
that the user sees, is the content I expect them to see, and vice-versa.

-Eric
Received on Tuesday, 30 December 2014 19:46:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC