[cryptography] yet another certificate MITM attack

dan at geer.org dan at geer.org
Mon Jan 14 20:53:04 EST 2013


> Oh, I see.  So basically they are breaking the implied promise of the 
> https component of the URL.
> 
> In words, if one sticks https at the front of the URL, we are 
> instructing the browser as our agent to connect securely with the server 
> using SSL, and to check the certs are in sync.
> 
> The browser is deciding it has a better idea, and is redirecting that 
> URL to a cloud server somewhere.
> 
> (I'm still just trying to understand the model.  Yes, I'm surprised, I 
> had never previously heard of this.)

Is it not now fair now to say that the client has become the server's
server, and not just in the matter of which we are speaking here?
Consider the shrinking proportion of the web that is available to
those who refuse Javascript, just to give a second example.

If irrelevant, please forgive the diversion,

--dan





More information about the cryptography mailing list