Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure from softwaredevjirka@gmail.com on 2014-12-17 (public-webappsec@w3.org from December 2014)

From: <softwaredevjirka@gmail.com>
Date: Wed, 17 Dec 2014 14:27:49 -0800 (PST)
To: blink-dev@chromium.org
Cc: annevk@annevk.nl, sigbjorn@opera.com, tylerl@google.com, palmer@google.com, public-webappsec@w3.org, security-dev@chromium.org, dev-security@lists.mozilla.org, chaals@yandex-team.ru
Message-Id: <8e3652c9-65e3-41a4-9a67-9022c3134286@chromium.org>

On Wednesday, December 17, 2014 7:44:59 PM UTC+1, cha...@yandex-team.ru 
wrote:
>
> This is a pretty interesting use case. When you connect at the airport, 
> the typical first thing that happens is you get a warning saying that the 
> site you want to connect to has the wrong certificate (you went to 
> pogoda.yandex.ru but the certtificate is for airport.logins.aero, or 
> 1.1.1.1). 
> -- 
> Charles McCathie Nevile - web standards - CTO Office, Yandex

511 Network Authentication Required?

There is http://tools.ietf.org/html/rfc6585#section-6 for that. Chromium 
bug is https://code.google.com/p/chromium/issues/detail?id=114929 , Firefox 
has their own as well. As far as I know this only works for HTTP 
connections. There really is no reasonable way how the airport can step 
into an HTTPS connection and demand authentication without causing a 
certificate error. There is 
experimantal https://tools.ietf.org/rfc/rfc2521.txt which suggests an ICMP 
packet "Need Authorization", but as I said, it is experimantal. Am I 
missing something?

This gradual roll out of the UI hints that is being proposed now would help 
shift attention to such problems. The problems won't be solved until we get 
to a state we (actually, you ;) truly _need_ to be solving them.

Received on Monday, 22 December 2014 16:58:48 UTC