RE: Subresource integrity and mixed-content warnings from Crispin Cowan on 2016-05-23 (public-webappsec@w3.org from May 2016)

From: Crispin Cowan <crispin@microsoft.com>
Date: Mon, 23 May 2016 19:58:23 +0000
To: Chris Palmer <palmer@google.com>, Frederik Creemers <frederikcreemers@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BN3PR0301MB12205B2A8A925A838143C42DBD4E0@BN3PR0301MB1220.namprd03.prod.outlook.>

Its not lying; the content stream really is coming from HTTPS://yoursever.com/ complete with all 3 guarantees. The hidden fact that yourserver.com is fetching its bitstream from a Ouija board is a separate matter ☺ This is similar to the discussion we had at the F2F a week ago; HTTPS guarantees that yourserver.com said it, but does not and cannot guarantee where yourserver.com got it from.

But yes it likely is an issue WRT the originator’s TOS, get your own lawyer etc., and definitely would be a bandwidth issue.

From: Chris Palmer [mailto:palmer@google.com]
Sent: Monday, May 23, 2016 12:12 PM
To: Frederik Creemers <frederikcreemers@gmail.com>
Cc: public-webappsec@w3.org
Subject: Re: Subresource integrity and mixed-content warnings

On Mon, May 23, 2016 at 12:04 PM, Frederik Creemers <frederikcreemers@gmail.com<mailto:frederikcreemers@gmail.com>> wrote:

Thank you for the reply, it makes total sense. It looks to me like the biggest issue here is transparency to the user. Security and privacy are complicated, even for tech savvy people, and you can't expect most people to take the time to overthink what security guarantees a particular web application they're using does and does not offer, so I understand browsers want to give users a very clear "this website is secure" or "this website is not secure" signal. Your response has also made me realize that there's no workaround for this that I can implement, as there's nothing that I can set up to magically make the connection between the user's browser and the podcaster's server secure (authenticated and encrypted).

Well, technically, it would be possible to lie. You could have your server proxy the original podcast servers, and then the browsers would think that the podcasts came from https://yourserver.com.

But, that would be lying :) and it would also incur heavy bandwidth costs on you. Also, I am not a lawyer, but it might be that not all podcast publishers would approve of such a plan.

I guess the only thing I can do is hope that media servers start accepting secure connections as quickly as possible.

If it makes you feel any better, you're not alone. :)

Received on Monday, 23 May 2016 19:58:54 UTC