Eric Rescorla <e...@rtfm.com>于2018年1月3日周三 上午5:57写道:
> On Tue, Jan 2, 2018 at 1:40 PM, Mateusz Jończyk <mat.jonc...@o2.pl> wrote: > >> CCing Ted Lemon <mellon at fugue.com> as the author of previous >> proposition. >> >> W dniu 02.01.2018 o 21:20, Eric Rescorla pisze: >> > On Tue, Jan 2, 2018 at 12:08 PM, Mateusz Jończyk <mat.jonc...@o2.pl >> > <mailto:mat.jonc...@o2.pl>> wrote: >> > >> > Then the browser should display a message inside the warning screen >> that the >> > string cannot be trusted. >> > >> > Users tend to ignore that kind of warning. >> Not any more then they ignore certificate warnings [2]. > > > That's not clear. We would be providing some sort of attacker-controlled > text to the user with a warning that says "you can't trust this". That's > difficult to pull off. > > Moreover, the certificate warnings are under control of the browser, but > we actively work to discourage the user from ignoring them. Moreover, for > HSTS sites, the browser doesn't allow the user to override them, so > providing some attacker-controlled information would make the situation > materially worse. And given that a lot of the sites which people are likely > to hit with captive portals are in fact HSTS sites (because HSTS is common > in big sites) instead showing attacker controlled information would make > things materially worse. > providing some attacker-controlled information would make the situation materially worse. +1 Although some browsers support HSTS, but also offer a "user friendly" configure item to ignore all ssl warnings. > -Ekr > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
