On 14 January 2013 06:11, ianG i...@iang.org wrote:
On 13/01/13 22:47 PM, Jeffrey Walton wrote:
On Sun, Jan 13, 2013 at 1:20 PM, Warren Kumari war...@kumari.net wrote:
On Jan 12, 2013, at 4:27 AM, ianG i...@iang.org wrote:
On 11/01/13 02:59 AM, Jon Callas wrote:
-BEGIN PGP SIGNED
So let me play devil's advocate for a moment: You could say that the
browser has two components: One in the phone and one in a server
somewhere. The two components communicate over a channel provided by
good old https. The phone component sends the request to the server
component, which in turn
On Mon, Jan 14, 2013 at 7:23 AM, Harald Hanche-Olsen
han...@math.ntnu.no wrote:
[Ben Laurie b...@links.org (2013-01-14 11:04:11 UTC)]
How is any CA involved in this?
I was wondering the same thing. But then I went back to the first post
of this series, which mentions [1] as the primary
Oh, I see. So basically they are breaking the implied promise of the
https component of the URL.
In words, if one sticks https at the front of the URL, we are
instructing the browser as our agent to connect securely with the server
using SSL, and to check the certs are in sync.
The
On 13/01/13 22:47 PM, Jeffrey Walton wrote:
On Sun, Jan 13, 2013 at 1:20 PM, Warren Kumari war...@kumari.net wrote:
On Jan 12, 2013, at 4:27 AM, ianG i...@iang.org wrote:
On 11/01/13 02:59 AM, Jon Callas wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
...
The Amazon FAQ for Silk did
Relevant to this thread, but OT to the charter of this list.
On Sat, Jan 12, 2013 at 5:46 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Sat, Jan 12, 2013 at 4:27 AM, ianG i...@iang.org wrote:
On 11/01/13 02:59 AM, Jon Callas wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Others
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Jan 12, 2013, at 1:27 AM, ianG wrote:
Oh, I see. So basically they are breaking the implied promise of the https
component of the URL.
In words, if one sticks https at the front of the URL, we are instructing the
browser as our agent to
Jon Callas j...@callas.org wrote:
(The quibble I have is over partial security. My quibble is that lots of
partial
security systems label the partial security as being worse than no security.
I believe that partial security is always better than no security.)
Except when it is marketed as
On Fri, Jan 11, 2013 at 10:04 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Thu, Jan 10, 2013 at 7:47 PM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Jon Callas j...@callas.org writes:
Others have said pretty much the same in this thread; this isn't an MITM
attack, it's a proxy browsing
Jeffrey Walton wrote:
How do we teach developers to differentiate between the good
men-in-the-middle vs the bad man-in-the-middle?
According to another post by Peter, good ones would be based on
anonymous D-H.
Perhaps they should be using the evil bit in the TCP/IP header to
indicate
For http there is a mechanism for cache security as this is an issue that
does come up (you do not want to cache security information or responses
with security information in them, eg cookies or information related to one
user and then have the proxy cache accidentally send that to a different
On Fri, Jan 11, 2013 at 1:39 PM, Adam Back a...@cypherspace.org wrote:
For http there is a mechanism for cache security as this is an issue that
does come up (you do not want to cache security information or responses
with security information in them, eg cookies or information related to one
On Jan 11, 2013, at 1:53 PM, Jeffrey Walton wrote:
One of the things I find most befuddling: the industry has conditioned
many folks to accept this sort of thing as normal
(Proxy/Interception on a secure' channel), even when those same
folks know better. Its seems to be a repeat of browsers
On 11/01/13 21:57 PM, Jeffrey Walton wrote:
On Fri, Jan 11, 2013 at 12:20 PM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Jeffrey Walton wrote:
More seriously, I agree that the questions raised by Jeffrey are relevant,
and I support his main point. End-to-end security should make some
John Kemp wrote:
[...] the _spirit_ of end-to-end semantics is violated here, I believe [...]
Personally, I am not a spiritual cryptography believer.
--
- Thierry Moreau
___
cryptography mailing list
cryptography@randombit.net
On Thu, Jan 10, 2013 at 4:53 PM, ianG i...@iang.org wrote:
On 7/01/13 14:33 PM, ianG wrote:
On 7/01/13 13:25 PM, Ben Laurie wrote:
...
Just on that theme of multiple attacks from different vectors leading to
questions at the systemic level, another certificate failure just got posted
on
When you look at what the Nokia Browser does in the non-TLS case you see
that the Nokia Browser like the Kindle Browser and Opera Mobile use a
dedicated proxy server to avoid DNS latency and permit
cached/compressed/reformatted web pages to be transmitted to the mobile
device. This is
performed
On Thu, Jan 10, 2013 at 6:02 PM, Krassimir Tzvetanov
mailli...@krassi.biz wrote:
What the wireshark captures are showing is the OVI app talking to
their cloud (I would speculate the app is just updating its catalog or
something of that sort).
I did not see even a mention of the word
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Others have said pretty much the same in this thread; this isn't an MITM
attack, it's a proxy browsing service.
There are a number of optimized browsers around. Opera Mini/Mobile, Amazon
Silk for the Kindle Fire, and likely others. Lots of old WAP
Jon Callas j...@callas.org writes:
Others have said pretty much the same in this thread; this isn't an MITM
attack, it's a proxy browsing service.
Exactly. Cellular providers have been doing this for ages, it's hardly news.
(Well, OK, given how surprised people seem to be, perhaps it should
20 matches
Mail list logo