2013.02.20 11:54:28 (304182226495614978) from Daniel J. Bernstein, replying to "Matthew Green (@matthew_d_green)" (304051839433838592):
@matthew_d_green No, no, no. HTTPSEC's only ability is to sign redirects. The designers were trying to keep the protocol simple.
2013.02.08 17:13:58 (299913976282771456) from Daniel J. Bernstein:
You think HTTPS has problems? The HTTPSEC proposal is much, much, much worse. http://cr.yp.to/talks/2013.02.07/slides.pdf includes some analysis of HTTPSEC.
2013.02.12 15:39:24 (301339727733338113) from "Matthew Green (@matthew_d_green)":
@hashbreaker Your argument (at the end) is that we've solved the link-level security problem -- ergo this is the only problem.
2013.02.20 02:14:33 (304036282227621892) from Daniel J. Bernstein, replying to "Matthew Green (@matthew_d_green)" (301339727733338113):
@matthew_d_green This "untrusted servers" obsession is _not_ the worst part of HTTPSEC. The talk explicitly pinpoints the worst part.
2013.02.20 03:16:22 (304051839433838592) from "Matthew Green (@matthew_d_green)":
@hashbreaker I didn't get that part. It signs the page body, but some people put redirects in there (which is dumb)?