- From: Chris Palmer <palmer@google.com>
- Date: Thu, 15 Jan 2015 23:54:40 -0800
- To: Noah Mendelsohn <nrm@arcanedomain.com>
- Cc: "www-tag@w3.org" <www-tag@w3.org>
On Thu, Jan 15, 2015 at 5:54 PM, Noah Mendelsohn <nrm@arcanedomain.com> wrote: > Also wondering whether, apropos the recent debates about moving to HTTPS, > companies like Verizon would be able to MITM HTTPs traffic to play games > like this. Seems to depend on the cert control provided by mobile browsers, > and I'm concerned that in practice many of the browsers come from the ISPs, > which supply the phones, which check the certs.... A code-signed browser from a trustworthy source, consulting only its own trust anchor store and/or enforcing key pinning and/or enforcing Certificate Transparency, can generally enforce the guarantees of HTTPS (which include stopping these cookie insertion attacks). Of course, if the platform is under the control of someone other than the owner, such as the carrier, the platform can subvert any application at run-time. That underscores the importance of getting one's platform from a trustworthy vendor. But that problem is entirely outside of TAG's scope. HTTPS is what we can do. Buttressing the web PKI is what we can do. So we do. Some companies with representatives on this list are also trying to provide trustworthy platforms to run apps on, too. So we do. Surely, you weren't hoping to use evidence of application-layer attacks as a reason to not adopt effective application-layer security techniques.
Received on Friday, 16 January 2015 07:55:14 UTC