W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Ryan Sleevi <rsleevi@chromium.org>
Date: Mon, 15 Dec 2014 16:18:59 -0800
Message-ID: <CACvaWvbN7q2F8v1FiFgg_FLMmfsFhVBKfcvBeXy0moEZt0NaHw@mail.gmail.com>
To: ferdy.christant@gmail.com
Cc: blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, Adrienne Porter Felt <felt@chromium.org>
On Mon, Dec 15, 2014 at 4:10 PM, <ferdy.christant@gmail.com> wrote:
>
> "If someone thinks their users are OK with their website not having
> integrity/authentication/privacy"
>
> That is an assumption that doesn't apply to every website. Many websites
> don't even have authentication.
>

I think there may be some confusion.

"Authentication" here does not refer to "Does the user authenticate
themselves to the site" (e.g. do they log in), but "Is the site you're
talking to the site you the site you expected" (or, put differently, "Does
the server authenticate itself to the user").

Without authentication in this sense (e.g. talking to whom you think you're
talking to), anyone can trivially impersonate a server and alter the
responses. This is not that hard, a few examples for you about why
authentication is important, even for sites without logins:

http://newstweek.com/
http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

This is why it's important to know you're talking to the site you're
expecting (Authentication), and that no one has modified that site's
contents (Integrity).
Received on Tuesday, 16 December 2014 00:19:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC