[whatwg] meta="encrypt" tag is needed
Ashley Sheridan
ash at ashleysheridan.co.uk
Fri May 7 13:43:20 PDT 2010
On Fri, 2010-05-07 at 16:40 -0400, Aryeh Gregor wrote:
> On Fri, May 7, 2010 at 4:21 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
> > On Fri, May 7, 2010 at 10:06 AM, Juuso Hukkanen <juuso_html5 at tele3d.net> wrote:
> >> 1) Man-in-the-middle problem; which doesn't exists because
> >> a) those are just academic mind games
> >
> > You don't get to talk about security anymore.
>
> I don't think "academic" is an *entirely* unfair characterization of
> MITM on the web, actually. MITM is hard enough to pull off on the
> open web that unless you're a bank or PayPal or something, it's
> unlikely anyone would bother. In practice, most web developers don't
> have to worry about MITM. By contrast, something like XSS or SQL
> injection is often so easy to exploit when it exists that any site is
> at risk, from botnet operators targeting their outdated software or
> from script kiddies feeling bored or spiteful.
>
> In fact, do you know of *any* examples of MITM attacks being
> successfully used against a public website? It's not that I doubt
> that it's happened, but I don't actually know of any specific cases.
> In principle, you should be able to harvest lots of passwords by
> dropping some free wireless routers in strategic locations.
>
> (There's still an entirely different fatal problem with what you
> quoted, though: if you aren't worried about MITM, then encryption is
> pointless to begin with. I don't dispute your conclusion. :) )
http://xkcd.com/341/
Maybe not exactly what you had in mind, but it is a man-in-the-middle in
a sort of sense.
Thanks,
Ash
http://www.ashleysheridan.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100507/c8ed1cc4/attachment.htm>
More information about the whatwg
mailing list