On Fri, Dec 9, 2011 at 10:37 AM, Adam Barth <w...@adambarth.com> wrote: > On Fri, Dec 9, 2011 at 7:59 AM, Anne van Kesteren <ann...@opera.com> wrote: >> On Fri, 09 Dec 2011 16:33:08 +0100, Eric Rescorla <e...@rtfm.com> wrote: >>> Same-origin requests should be OK because the JS would have access >>> to the relevant sensitive data in any case. >> >> Okay, I guess we can make that difference. > > Correct me if I'm wrong, but I believe these issues are fixed in TLS > 1.1. Most user agents implement TLS 1.1 anyway, so this seems mostly > like a requirement to put in the security considerations section.
Would that it were this easy. Unfortunately, many servers do not support TLS 1.1, and to make matters worse, they do so in a way that is not securely verifiable. By which I mean that an active attacker can force a client/server pair both of which support TLS 1.1 down to TLS 1.0. This may be detectable in some way, but not by TLS's built-in mechanisms. And since the threat model here is an active attacker, this is a problem. -Ekr
