Re: Proposal: Prefer secure origins for powerful new web platform features

On Thu, Aug 21, 2014 at 1:19 PM, Chris Palmer <palmer@google.com> wrote:

> On Tue, Aug 19, 2014 at 5:22 PM, Mark Watson <watsonm@netflix.com> wrote:
>
> > I think we should be highly selective about applying any blanket
> prohibition
> > on access to features from http sites.
>
> Indeed, we are. So far the only new features that require secure origins
> are:
>
> * Service Workers
> * Geofencing (relies on Service Workers)
> * WebCrypto
>
> The great majority of new web platform features, and the large body of
> grandfathered-in features, are available to secure and non-secure
> origins alike.
>

​I'd take (took) issue with WebCrypto. I know it requires a secure origin
in Chrome but this is not required by the specification.​


>
> > It is of course quite appropriate for UAs to require user consent,
> provide
> > warnings etc., including differentiating between use of a feature by a
> > secure origin and a non-secure one, as they see fit. However, the danger
> of
> > prohibiting things is that web developers may feel a new feature is being
> > "held hostage" in support of an unrelated, albeit noble, goal of
> encouraging
> > https use.
>
> There is that risk, I agree. But I think it's fair to ask developers
> who want to run long-running threads in the background on peoples'
> phone, which track peoples' locations, why they think that power
> should be granted to unauthenticated, MITM-mangled code. The needs of
> users come first:
>
> http://www.w3.org/TR/html-design-principles/#priority-of-constituencies


​In some case the alternative to the new feature might be use of plugins,
which would be worse for users.
​


>
>
> It is most often the case that the needs of these constituencies
> align, rather than conflict. But when they do conflict, we must
> prioritize the bare minimum level of safety for users over the
> temporary convenience to developers of not having to turn on an option
> on Nginx and pay $15.
>

​Switching to HTTPS it not necessarily that cheap or inconsequential to
user experience. If it were, of course I'd agree. Sounds like we don't have
a clear understanding of what developers are being asked to do.


>
> Put it another way: Should we also want Android, iOS, Mac OS X, and
> Windows applications to not be cryptographically signed? No.
> Well-behaved apps on all platforms, developed by professionals who get
> paid, have signed code. HTTPS is code-signing for the web. It is not
> even the most expensive or difficult code-signing system.
>
> With incredible power comes a tiny amount of responsibility.
>

​Indeed. Well said. Applies all around.

...Mark​

Received on Thursday, 21 August 2014 20:28:05 UTC