Re: UPGRADE: 'HTTPS' header causing compatibility issues. from Mike West on 2015-07-09 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jul 2015 08:39:37 +0200
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mark Nottingham <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Richard Barnes <rbarnes@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Ilya Grigorik <igrigorik@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Brian Smith <brian@briansmith.org>
Message-ID: <CAKXHy=fYE_w38wMZ-gRTzBX_JkqanjwaWTDxetvgJMex6VC4KA@mail.gmail.com>

It feels like a distinction without meaning, especially given that we know
passive monitoring is happening on a wide scale. Calling unencrypted
transport affirmatively "insecure" seems fairly reasonable.

-mike
On Jul 9, 2015 06:54, "Martin Thomson" <martin.thomson@gmail.com> wrote:

> On 8 July 2015 at 21:44, Richard Barnes <rbarnes@mozilla.com> wrote:
> > If the web can live with "Referer", it can live with this.  But it seems
> > roughly the same order of magnitude.  It makes me "sic" :)
>
>
> Sounds about right. Find another perspective, like 'update-to-secure'
> if you want to avoid seeming insecure.
>

Received on Thursday, 9 July 2015 06:40:09 UTC