- From: Peter Bowen <pzbowen@gmail.com>
- Date: Sun, 14 Dec 2014 14:57:43 -0800
- To: Chris Palmer <palmer@google.com>
- Cc: Igor Bukanov <igor@mir2.org>, Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
On Sun, Dec 14, 2014 at 11:08 AM, 'Chris Palmer' via Security-dev <security-dev@chromium.org> wrote: > On Sun, Dec 14, 2014 at 10:53 AM, Igor Bukanov <igor@mir2.org> wrote: > >> I.e. just consider that currently a hosting provider has no option to >> unconditionally encrypt pages they host for modern browsers as that may >> break pages of the users. With encrypted http:// they get such option >> delegating the job of fixing warnings about insecure context to the content >> producers as it should. > > > I'm sorry; I still don't understand what you mean. Do you mean that you want > browsers to treat some hypothetical encrypted HTTP protocol as if it were a > secure origin, but still allow non-secure embedded content in these origins? I'm also not clear on what Igor intended, but there is a real issue with browser presentation of URLs using TLS today. There is no way to declare "I know that this page will have insecure content, so don't consider me a secure origin" such that the browser will show a "neutral" icon rather than a warning icon. I think there is a strong impression that a closed lock is better than neutral, but a yellow warning sign over the lock is worse than neutral. Today prevents sites from using HTTPS unless they have a very high confidence that all resources on the page will come from secure origins. Thanks, Peter
Received on Monday, 15 December 2014 08:56:18 UTC