Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Mike West on 2015-01-08 (public-webappsec@w3.org from January 2015)

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 13:58:47 +0100
To: Chaals from Yandex <chaals@yandex-team.ru>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Chris Palmer <palmer@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=e-NEUGGWe54UffES-ovAuGJr=qkd74CtHgO4bWv8eX9g@mail.gmail.com>

On Thu, Jan 8, 2015 at 1:32 PM, <chaals@yandex-team.ru> wrote:

> 06.01.2015, 02:03, "Mark Watson" <watsonm@netflix.com>:
>
> On Mon, Jan 5, 2015 at 2:50 PM, Jim Manico <jim.manico@owasp.org> wrote:
>
> > A site that is almost entirely HTTPS, but with HTTP used to retrieve
> some data resources, seems to be better than having the site entirely HTTP,
> no ?
>
> I'd say no. Once you let any part of your website be loaded over HTTP,
> HTTPS is completely undermined. The benefits of confidentiality,
> integrity and authenticity only exist when your entire site is HTTPS.
> I see mixed content and HTTP as being the same, essentially.
>
>
> FWIW, if all the resources retrieved over HTTP were protected with
> sub-resource-integrity, then I think you have lost only some
> confidentiality and you still have integrity and authenticity.
>
>
> More to the point, if the ones that are "very important" (the missile
> launching icons) are protected, but the ones that aren't very important
> (the advertisements for luxury apartments in the newly privatised Pentagon)
> are insecure, you *probably* have an improvement over everything unsecured.
> And I don't think you have anything worse.
>
> Which is why Mark's proposal makes a lot of sense to me. It effectively
> tells the user that things are only as strong as the weakest link.
>

And then weakens the weakest link, right?

Note also Brad's response: SRI is ineffective if you don't know the content
you're interested in loading. It probably helps the Netflix case, but
doesn't address the core concern Tim is raising.

>

> As another motivating example, it seems Project Gutenberg doesn't seem to
> use https connections. To be honest, I don't care. Even in an e-book reader
> that imports a hacked King James that says "Thou shalt kill". If we are
> relying on HTTPS for people to correctly interpret the commandment in
> question, I think we're chasing the wrong problem with our solutions.
>

Really? https://www.gutenberg.org/wiki/Bible/King_James_Version loads just
fine for me. :)

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Thursday, 8 January 2015 12:59:40 UTC