[whatwg] checksum attribute in a href tag
Ian Hickson
ian at hixie.ch
Fri Oct 19 12:34:18 PDT 2012
On Fri, 19 Oct 2012, A. Rauschenbach wrote:
>
> If I write an article and link to other documents I want a solution that
> the visitor can be sure that the document he opens is the document I
> originally linked to. (And if its not he gets informed. So he knows that
> the information maybe differ from the one the article talks about.)
I don't think this is something that would be very practical. As Tab says,
pages change a _lot_. You'd just always be getting a warning that the page
had changed, even if the important content had not.
> The second point is that verification if a file was downloaded correctly
> is a computer task not a human task. A standard how to give the
> verification information enables the browser/plugin vendors to do this
> task.
If the file is downloaded over TLS, then it's already verified. Pretty
much any attack scenario in which the file can be corrupted
(man-in-the-middle, server-side corruption, client-side corruption, etc)
can attack the file just as easily as the hash, so there's not really any
gain from checking a hash. (This applies equally well to manual checking.)
Providing such a feature would, in most cases, just give users a false
sense of security.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list