Not sure if I'm getting anything wrong, but doesn't this open a huge security hole?
Scenario right now is that if I want to be secure on a webpage I type in its HTTPS URL (either directly or through a bookmark) and can be pretty much sure that as long as I don't click on external links that I'll stay on that webpage. Basically this proposal would allow a man-in-the-middle to send me to another webpage each time I click on a (supposedly https protected) link. Given that there are many browsers these days (mobile) that hide the URL bar thats even more severe. This severely changes the security expectations one can have from a browser. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
pgpasQL35Nfoo.pgp
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
