W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Trusted proxy UI strawman

From: Roland Zink <roland@zinks.de>
Date: Fri, 20 Jun 2014 11:48:38 +0200
Message-ID: <53A40376.3070406@zinks.de>
To: ietf-http-wg@w3.org
On 19.06.2014 21:33, William Chan (ι™ˆζ™Ίζ˜Œ) wrote:
> The need to trust a third party is definitely a problem for content 
> authors today. This is one use case for the Subresource Integrity 
> proposal: http://www.w3.org/TR/2014/WD-SRI-20140318/#resource-integrity-1.
> That said, I do not agree with your assertion that referencing content 
> from a third party is equivalent to being willing to trust a proxy. I 
> am frankly surprised to hear such a statement. Does anyone else agree 
> with this?
  Don't think you can be sure what active content will do and it has 
access to decrypted content.

>     And you can argue you trust the third party more than the proxy, but
>     that's *your* opinion not necessarily the opinion of your users so the
>     transitive trust issue was opened up the moment js hosting was
>     delegated
>     to a third party. Current browser UI does not inform users that
>     when they
>     visit nicecite.com <http://nicecite.com> they're really executing
>     monitoring.js from
>     bigbrother.com <http://bigbrother.com>. 
>     The nice thing about proxying is that is exposes all the trust issues
>     caused by mashing up resources without thinking about the security
>     aspects, instead of burying them in the browser cache where no one
>     thinks
>     to look before it's too late.
>     --
>     Nicolas Mailhot
Received on Friday, 20 June 2014 09:49:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC