[html5] r3495 - [] (0) Mention the case of a previously-CA-signed-cert page turning into a self- [...]

whatwg at whatwg.org whatwg at whatwg.org
Wed Jul 29 01:40:36 PDT 2009 

Author: ianh
Date: 2009-07-29 01:40:35 -0700 (Wed, 29 Jul 2009)
New Revision: 3495

Modified:
   index
   source
Log:
[] (0) Mention the case of a previously-CA-signed-cert page turning into a self-signed-cert page.

Modified: index
===================================================================
--- index	2009-07-29 08:04:10 UTC (rev 3494)
+++ index	2009-07-29 08:40:35 UTC (rev 3495)
@@ -4982,6 +4982,11 @@
   erroneous certificates or must act as if such resources were in fact
   served with no encryption.</p>
 
+  <p>User agents should warn the user that there is a potential
+  problem whenever the user visits a page that the user has previously
+  visited, if the page uses less secure encryption on the second
+  visit.</p>
+
   <p>Not doing so can result in users not noticing man-in-the-middle
   attacks.</p>
 
@@ -5003,6 +5008,12 @@
    from a different host and only apply man-in-the-middle attacks to
    that host, for example taking over scripts in the page.</p>
 
+   <p>If a user bookmarks a site that uses a CA-signed certificate,
+   and then later revisits that site directly but the site has started
+   using a self-signed certificate, the user agent could warn the user
+   that a man-in-the-middle attack is likely underway, instead of
+   simply acting as if the page was not encrypted.</p>
+
   </div>
 
 

Modified: source
===================================================================
--- source	2009-07-29 08:04:10 UTC (rev 3494)
+++ source	2009-07-29 08:40:35 UTC (rev 3495)
@@ -4664,6 +4664,11 @@
   erroneous certificates or must act as if such resources were in fact
   served with no encryption.</p>
 
+  <p>User agents should warn the user that there is a potential
+  problem whenever the user visits a page that the user has previously
+  visited, if the page uses less secure encryption on the second
+  visit.</p>
+
   <p>Not doing so can result in users not noticing man-in-the-middle
   attacks.</p>
 
@@ -4685,6 +4690,12 @@
    from a different host and only apply man-in-the-middle attacks to
    that host, for example taking over scripts in the page.</p>
 
+   <p>If a user bookmarks a site that uses a CA-signed certificate,
+   and then later revisits that site directly but the site has started
+   using a self-signed certificate, the user agent could warn the user
+   that a man-in-the-middle attack is likely underway, instead of
+   simply acting as if the page was not encrypted.</p>
+
   </div>

More information about the Commit-Watchers mailing list