W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Verizon Wireless ISP-injected tracking info used to reconstruct deleted cookies

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 18 Jan 2015 03:03:09 +0100
To: Chris Palmer <palmer@google.com>
Cc: Noah Mendelsohn <nrm@arcanedomain.com>, "www-tag@w3.org" <www-tag@w3.org>
Message-ID: <494mbapqou7k2mmd9b7e42b6lsm3ta9ani@hive.bjoern.hoehrmann.de>
* Chris Palmer wrote:
>A code-signed browser from a trustworthy source, consulting only its
>own trust anchor store and/or enforcing key pinning and/or enforcing
>Certificate Transparency, can generally enforce the guarantees of
>HTTPS (which include stopping these cookie insertion attacks).
>
>Of course, if the platform is under the control of someone other than
>the owner, such as the carrier, the platform can subvert any
>application at run-time.
>
>That underscores the importance of getting one's platform from a
>trustworthy vendor. But that problem is entirely outside of TAG's
>scope.

When you use an Acme browser on an Acme phone running the Acme OS to
access Acme web services over Internet services provided by Acme, to
clarify your terminology, what would be "your platform", would you be
the "owner" of it, and would it be under "your control"?
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Sunday, 18 January 2015 02:03:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC