Re: Proposal: Marking HTTP As Non-Secure from Igor Bukanov on 2014-12-14 (public-webappsec@w3.org from December 2014)

From: Igor Bukanov <igor@mir2.org>
Date: Sun, 14 Dec 2014 19:53:29 +0100
To: Chris Palmer <palmer@google.com>
Cc: Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
Message-ID: <CADd11yVXUd+mjgUEdKJ7-x2aDGOkibm_mLhveyfnPbaW98EcCg@mail.gmail.com>

I.e. just consider that currently a hosting provider has no option to
unconditionally encrypt pages they host for modern browsers as that may
break pages of the users. With encrypted http:// they get such option
delegating the job of fixing warnings about insecure context to the content
producers as it should.

On 14 December 2014 at 19:48, Igor Bukanov <igor@mir2.org> wrote:
>
> On 14 December 2014 at 19:40, Chris Palmer <palmer@google.com> wrote:
>
>>
>> But, again, consider the definition of the origin. If it is possible for
>> securely-transported code to run in the same context as non-securely
>> transported code, the securely-transported code is effectively non-secure.
>>
>
> Yes, but the point is that the page will be shown with the same warnings
> as a plain http page rather then showing a broken page.
>

Received on Monday, 15 December 2014 08:56:36 UTC