Re: Proposal: Marking HTTP As Non-Secure from Igor Bukanov on 2014-12-16 (public-webappsec@w3.org from December 2014)

From: Igor Bukanov <igor@mir2.org>
Date: Tue, 16 Dec 2014 07:17:50 +0100
To: Ryan Sleevi <rsleevi@chromium.org>
Cc: ferdy.christant@gmail.com, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Adrienne Porter Felt <felt@chromium.org>, security-dev <security-dev@chromium.org>
Message-ID: <CADd11yX8jXbRgMgk97X+S_96oW82zSmJ9+B0DEL6BB6dFbtpLQ@mail.gmail.com>

On 16 December 2014 at 01:18, Ryan Sleevi <rsleevi@chromium.org> wrote:

> "Authentication" here does not refer to "Does the user authenticate
> themselves to the site" (e.g. do they log in), but "Is the site you're
> talking to the site you the site you expected" (or, put differently, "Does
> the server authenticate itself to the user").
>

With protocols like SRP or J-PAKE authentication in the first sense (log
in) also provides authentication in the second sense (protocols ensures
mutual authentication between the user and the server without leaking
passwords). I wish there would be at least some support in the browsers for
these protocols so one could avoid certificates and related problems in
many useful cases.

Received on Tuesday, 16 December 2014 06:18:18 UTC