W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2014

Re: Proposal: Prefer secure origins for powerful new web platform features

From: Chris Palmer <palmer@google.com>
Date: Thu, 21 Aug 2014 14:11:38 -0700
Message-ID: <CAOuvq22G1Lec9o_r=OwV4Fpo0nhe-6YV1UHxDbsSKn9q_88zag@mail.gmail.com>
To: Mark Watson <watsonm@netflix.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Aug 21, 2014 at 1:27 PM, Mark Watson <watsonm@netflix.com> wrote:

> I'd take (took) issue with WebCrypto. I know it requires a secure origin in
> Chrome but this is not required by the specification.

It is required by common sense, however. It is not possible to provide
users meaningful security with anonymous, MITM-mangled WebCrypto.

> Switching to HTTPS it not necessarily that cheap or inconsequential to user
> experience. If it were, of course I'd agree. Sounds like we don't have a
> clear understanding of what developers are being asked to do.

I only know about Google, but we are using HTTPS (preferring PFS, no
less) in tier-1, throughput- and (especially) latency-sensitive
products like Search and Gmail. Where possible and in general, we seek
to improve performance by developing things like SPDY and QUIC, and
deploying spiffy new ciphersuites, rather than by turning off the
minimum level of safety.

I understand that your deployment scenario is different — large,
static blobs that benefit from edge-cacheing, rather than
highly-dynamic content like Search and Gmail. If your CDNs try to
gouge you when you ask them for HTTPS, that's a business matter and of
course above my pay-grade. But I have a hard time seeing a technical
problem. Sharing your experience might be informative for everyone on
the mailing list.
Received on Thursday, 21 August 2014 21:12:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC