- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 19 Jan 2015 12:59:23 +0100
- To: Paul Libbrecht <paul@hoplahup.net>
- Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
On Mon, Jan 19, 2015 at 12:51 PM, Paul Libbrecht <paul@hoplahup.net> wrote: > Please make browsers reasonably acting when contacting web-site that > presents self-signed, expired, and other such certificates are used. > The crypto still happens, it's just less verified. How do you distinguish that happening from a man-in-the-middle attack without every site that uses TLS also adopting key pinning (and the administrative nightmares that gives)? Anything but proper CA certificates is a major attack vector and if anything we should move towards making it impossible to connect to such sites. -- https://annevankesteren.nl/
Received on Monday, 19 January 2015 11:59:47 UTC