- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 18 Jan 2015 03:03:09 +0100
- To: Chris Palmer <palmer@google.com>
- Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
* Chris Palmer wrote: >A code-signed browser from a trustworthy source, consulting only its >own trust anchor store and/or enforcing key pinning and/or enforcing >Certificate Transparency, can generally enforce the guarantees of >HTTPS (which include stopping these cookie insertion attacks). > >Of course, if the platform is under the control of someone other than >the owner, such as the carrier, the platform can subvert any >application at run-time. > >That underscores the importance of getting one's platform from a >trustworthy vendor. But that problem is entirely outside of TAG's >scope. When you use an Acme browser on an Acme phone running the Acme OS to access Acme web services over Internet services provided by Acme, to clarify your terminology, what would be "your platform", would you be the "owner" of it, and would it be under "your control"? -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Sunday, 18 January 2015 02:03:40 UTC