- From: Michal Zalewski <lcamtuf@google.com>
- Date: Mon, 15 Dec 2014 01:30:02 -0800
- To: Igor Bukanov <igor@mir2.org>
- Cc: Peter Bowen <pzbowen@gmail.com>, Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
> So indeed an option to declare that despite proper certificates and > encryption the site should be treated as of insecure origin is needed. This > way the page will be shown as if it was served as before with plain http > with no changes in user experience. But then it cannot be a https site > since many users still consider that https is enough to assume a secure > site. Hence the idea of encrypted http:// or something that makes user > experience with an encrypted page absolutely the same as she has with plain > http:// down to the browser stripping http:// from the URL. Sounds like you're essentially proposing a flavor of opportunistic encryption for http://, right? That seems somewhat tangential to Chris' original proposal, and there is probably a healthy debate to be had about this; it may be also worthwhile to look at SPDY and QUIC. In general, if you're comfortable with not providing users with a visible / verifiable degree of transport security, I'm not sure how the proposal changes this? By the way, note that nothing is as simple as it seems; opportunistic encryption is easy to suggest, but it's pretty damn hard to iron out all the kinks. If there is genuinely no distinction between plain old HTTP and opportunistically encrypted HTTP, the scheme can be immediately rendered useless by any active attacker, and suffers from many other flaws (for example, how do you link from within that opportunistic scheme to other URLs within your application without downgrading to http:// or upgrading to "real" https://?). Establishing a new scheme solves that, but doesn't really address your other concern - you still need to clean up all links. On top of that, it opens a whole new can of worms by messing around with SOP. /mz
Received on Monday, 15 December 2014 09:30:49 UTC