Re: Blocking high-risk non-secure downloads from Daniel Veditz on 2019-04-09 (public-webappsec@w3.org from April 2019)

From: Daniel Veditz <dveditz@mozilla.com>
Date: Tue, 9 Apr 2019 13:58:31 -0700
To: Emily Stark <estark@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Joe DeBlasio <jdeblasio@chromium.org>, cthomp@chromium.org
Message-ID: <CADYDTCC6dHApixxiAvvasYTfetJt3_PRK1-OSc1g+agLO0AF5A@mail.gmail.com>

On Tue, Apr 9, 2019 at 11:30 AM Emily Stark <estark@google.com> wrote:

> Over in Chrome land, we've been considering how to drive down non-secure
> downloads, particularly high-risk ones like executables. I wanted to see if
> other browsers would be interested in joining us on this adventure.
>

I would be very happy to push in this direction, limited by the amount of
breakage and user-pushback we can expect. Any statistics you can share
would be a huge help. Insecure downloads from the secure sites of companies
who ought to know better are distressingly common ("but the executables are
signed!").
-Dan Veditz

Received on Tuesday, 9 April 2019 20:59:09 UTC