Re: Proposal: Marking HTTP As Non-Secure

On Mon, Dec 15, 2014 at 4:10 PM, <ferdy.christant@gmail.com> wrote:
>
> "If someone thinks their users are OK with their website not having
> integrity/authentication/privacy"
>
> That is an assumption that doesn't apply to every website. Many websites
> don't even have authentication.
>

I think there may be some confusion.

"Authentication" here does not refer to "Does the user authenticate
themselves to the site" (e.g. do they log in), but "Is the site you're
talking to the site you the site you expected" (or, put differently, "Does
the server authenticate itself to the user").

Without authentication in this sense (e.g. talking to whom you think you're
talking to), anyone can trivially impersonate a server and alter the
responses. This is not that hard, a few examples for you about why
authentication is important, even for sites without logins:

http://newstweek.com/
http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
http://webpolicy.org/2014/10/24/how-verizons-advertising-header-works/

This is why it's important to know you're talking to the site you're
expecting (Authentication), and that no one has modified that site's
contents (Integrity).

Received on Tuesday, 16 December 2014 00:19:27 UTC