[Webkit-unassigned] [Bug 196182] Using Application Cache on HTTPS websites breaks browser security indicators (e.g. webkit_web_view_get_tls_info()); CertificateInfo not properly cached
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Mar 24 17:30:30 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196182
--- Comment #6 from Alexey Proskuryakov <ap at webkit.org> ---
> Why not? If WebKit caches aren't trusted, then we have a big problem!
Locally running malware can modify appcache, but it can't change the content of webpages.
So yes, the user has a big problem in this scenario, but we shouldn't make it bigger by letting the attacker poison the cache for https pages, and especially EV.
> I don't think we need to store trust decisions in the cache, anyway. If we
> just encode the CertificateInfo into the cache using the existing
> WTF::Persistence coders, then the certificate's trust can be evaluated at
> runtime.
With network access, which is not OK for appcache served pages.
I do agree that there is a problem here, but I think that the solution to it is not using appcache.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190325/3234dedc/attachment.html>
More information about the webkit-unassigned
mailing list