W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Igor Bukanov <igor@mir2.org>
Date: Tue, 16 Dec 2014 07:17:50 +0100
Message-ID: <CADd11yX8jXbRgMgk97X+S_96oW82zSmJ9+B0DEL6BB6dFbtpLQ@mail.gmail.com>
To: Ryan Sleevi <rsleevi@chromium.org>
Cc: ferdy.christant@gmail.com, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adrienne Porter Felt <felt@chromium.org>, security-dev <security-dev@chromium.org>
On 16 December 2014 at 01:18, Ryan Sleevi <rsleevi@chromium.org> wrote:

> "Authentication" here does not refer to "Does the user authenticate
> themselves to the site" (e.g. do they log in), but "Is the site you're
> talking to the site you the site you expected" (or, put differently, "Does
> the server authenticate itself to the user").

With protocols like SRP or J-PAKE authentication in the first sense (log
in) also provides authentication in the second sense (protocols ensures
mutual authentication between the user and the server without leaking
passwords). I wish there would be at least some support in the browsers for
these protocols so one could avoid certificates and related problems in
many useful cases.
Received on Tuesday, 16 December 2014 06:18:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC