On 15/01/13 04:53 AM, [email protected] wrote:
Oh, I see. So basically they are breaking the implied promise of the
https component of the URL.
In words, if one sticks https at the front of the URL, we are
instructing the browser as our agent to connect securely with the server
using SSL, and to check the certs are in sync.
The browser is deciding it has a better idea, and is redirecting that
URL to a cloud server somewhere.
(I'm still just trying to understand the model. Yes, I'm surprised, I
had never previously heard of this.)
Is it not now fair now to say that the client has become the server's
server, and not just in the matter of which we are speaking here?
Consider the shrinking proportion of the web that is available to
those who refuse Javascript, just to give a second example.
If irrelevant, please forgive the diversion,
Indeed. Part of the problem is that the net has moved, and the CAs and
vendors have not really noticed. This is the fundamental flaw of
CABForum -- they have documented the technical SSL model to admirable
depth. It's just embarrassing that this is 2013 and that was so 1995.
What to do? Can't stop people living in the past. Just welcome the
people who are living in today?
What has surprised me a bit is that there has been no
Javascript-worldview security model that has emerged.
--dan
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
