Re: Proposal: Marking HTTP As Non-Secure from Chris Palmer on 2014-12-14 (public-webappsec@w3.org from December 2014)

From: Chris Palmer <palmer@google.com>
Date: Sun, 14 Dec 2014 11:08:31 -0800
To: Igor Bukanov <igor@mir2.org>
Cc: Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
Message-ID: <CAOuvq20wvZNAOYevTeMSvdCnx9UKr07MNv3Aj9+B09OxSXCneg@mail.gmail.com>

On Sun, Dec 14, 2014 at 10:53 AM, Igor Bukanov <igor@mir2.org> wrote:

I.e. just consider that currently a hosting provider has no option to
> unconditionally encrypt pages they host for modern browsers as that may
> break pages of the users. With encrypted http:// they get such option
> delegating the job of fixing warnings about insecure context to the content
> producers as it should.
>

I'm sorry; I still don't understand what you mean. Do you mean that you
want browsers to treat some hypothetical encrypted HTTP protocol as if it
were a secure origin, but still allow non-secure embedded content in these
origins?

I would argue strongly against that, and so far not even the "opportunistic
encryption" advocates have argued for that.

Received on Sunday, 14 December 2014 19:08:58 UTC