>>>>> "Josh" == Josh Howlett <[log in to unmask]> writes: >> >> An attacker can MITM the non-tls site and capture the >> authentication, replaying it to gain access to the TLS site as >> the authenticated user. Josh> Why don't the GSS EAP channel bindings prevent that attack? I don't think we get enough information to do real channel bindings from the browser. We could at least have an https yes or no cb flag.