Anne van Kesteren wrote: > > Eric J. Bowman wrote: > > > The problem as I see it, is that the debate is between no-auth HTTP > > and HTTPS -- with no discussion of HTTP Digest and how it may be > > improved to solve the problems HTTPS purports to, without the > > drawbacks as I see them. > > It seems like you are confusing user authentication with domain > authentication. > I assure you I'm not. > > Without HTTPS the attacker controls *all* bytes to and from the user. > There's no way to get authenticated transport to a given domain. > Even with HTTPS, I have no way of knowing whether or not the content that the user sees, is the content I expect them to see, and vice-versa. -EricReceived on Tuesday, 30 December 2014 19:46:09 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:08 UTC