- From: Jim Manico <jim.manico@owasp.org>
- Date: Mon, 5 Jan 2015 17:50:37 -0500
- To: Mark Watson <watsonm@netflix.com>
- Cc: Chris Palmer <palmer@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> A site that is almost entirely HTTPS, but with HTTP used to retrieve some data resources, seems to be better than having the site entirely HTTP, no ? I'd say no. Once you let any part of your website be loaded over HTTP, HTTPS is completely undermined. The benefits of confidentiality, integrity and authenticity only exist when your entire site is HTTPS. I see mixed content and HTTP as being the same, essentially. -- Jim Manico @Manicode (808) 652-3805 > On Jan 5, 2015, at 4:53 PM, Mark Watson <watsonm@netflix.com> wrote: > > A site that is almost entirely HTTPS, but with HTTP used to retrieve some data resources, seems to be better than having the site entirely HTTP, no ?
Received on Monday, 5 January 2015 22:51:08 UTC