On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning)
Because the operator of the "wrong host" cannot obtain a SSL certificate for the right host's domain from a legitimate CA. When the user types in '[therightdomain].com' and their browser immediately sends them to https://therightdomain.com the HTTPS request will fail and show the user an error message if the site is the wrong one, instead of allowing the wrong server to produce a response. To be clear, I am suggesting HTTPS should be the default, all servers should support it, and once a browser learns that a site supports HTTPS, it should maintain a memory of that fact in a hash table, and refuse to access the site over HTTP unless specifically requested (in order to prevent downgrade attacks) and refuse to try HTTP first when a new domain is entered. The http:// schema should be removed/deprecated, and replaced with insecurehttp:// And plain HTTP only used first if the user types that. That is, HTTPs should become assumed. Regards, -- -JH