Re: [whatwg] Fetch, MSE, and MIX from Mark Watson on 2015-04-16 (public-html-media@w3.org from April 2015)

From: Mark Watson <watsonm@netflix.com>
Date: Thu, 16 Apr 2015 08:10:27 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Martin Thomson <martin.thomson@gmail.com>, Aaron Colwell <acolwell@google.com>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Matthew Wolenetz <wolenetz@google.com>, WHATWG <whatwg@whatwg.org>, Domenic Denicola <d@domenic.me>, Ryan Sleevi <sleevi@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
Message-ID: <CAEnTvdDB0T=iNBn+dur7DvAWpKxkz3rf2m9x_RDz+7R3yWRVeQ@mail.gmail.com>

On Thu, Apr 16, 2015 at 7:53 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Apr 16, 2015 at 4:47 PM, Mark Watson <watsonm@netflix.com> wrote:
> > I hope you would concede that this was not simply a 'change of heart'.
> > We created and shared a new technology (kernel
> > encryption) which makes HTTPS viable for us at our scale. We did it
> > much faster than we predicted 6 months ago, not because it was easy
> > but because we put some very talented people on the problem.
>
> I see, my apologies and congrats to your team!
>
> Did you agree with my assertion nevertheless? That we might want to
> put less effort into enabling this particular MSE use case?
>

That's up to you. For our part it's not something we would find useful,
but maybe others would. Also, the mixed content user interface is not
ideal: the user is led, though typing https, or possibly first seeing the
green padlock or whatever, to expect security and then it is taken away. I
doubt most users have much idea what this means. It would be better if an
HTTP site could somehow cause HTTPS to be used for most of the resources
without any indication to the user (i.e. the indication is the same as an
HTTP site, whatever that becomes).

...Mark

>
>
> --
> https://annevankesteren.nl/
>

Received on Thursday, 16 April 2015 15:10:57 UTC