[whatwg] meta="encrypt" tag is needed

Ashley Sheridan ash at ashleysheridan.co.uk
Fri May 7 13:43:20 PDT 2010


On Fri, 2010-05-07 at 16:40 -0400, Aryeh Gregor wrote:

> On Fri, May 7, 2010 at 4:21 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> > On Fri, May 7, 2010 at 10:06 AM, Juuso Hukkanen <juuso_html5 at tele3d.net> wrote:
> >> 1) Man-in-the-middle problem; which doesn't exists because
> >>        a) those are just academic mind games
> >
> > You don't get to talk about security anymore.
> 
> I don't think "academic" is an *entirely* unfair characterization of
> MITM on the web, actually.  MITM is hard enough to pull off on the
> open web that unless you're a bank or PayPal or something, it's
> unlikely anyone would bother.  In practice, most web developers don't
> have to worry about MITM.  By contrast, something like XSS or SQL
> injection is often so easy to exploit when it exists that any site is
> at risk, from botnet operators targeting their outdated software or
> from script kiddies feeling bored or spiteful.
> 
> In fact, do you know of *any* examples of MITM attacks being
> successfully used against a public website?  It's not that I doubt
> that it's happened, but I don't actually know of any specific cases.
> In principle, you should be able to harvest lots of passwords by
> dropping some free wireless routers in strategic locations.
> 
> (There's still an entirely different fatal problem with what you
> quoted, though: if you aren't worried about MITM, then encryption is
> pointless to begin with.  I don't dispute your conclusion.  :) )


http://xkcd.com/341/

Maybe not exactly what you had in mind, but it is a man-in-the-middle in
a sort of sense.

Thanks,
Ash
http://www.ashleysheridan.co.uk


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100507/c8ed1cc4/attachment.htm>


More information about the whatwg mailing list