W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 17 Dec 2014 18:17:22 +0100
Message-ID: <CADnb78goXvadxHBGovSa3oJw7OSWxRUhaSTWowSxcy6QkoTtbA@mail.gmail.com>
To: Sigbjørn Vik <sigbjorn@opera.com>
Cc: tylerl@google.com, blink-dev <blink-dev@chromium.org>, Chris Palmer <palmer@google.com>, WebAppSec WG <public-webappsec@w3.org>, security-dev@chromium.org, dev-security@lists.mozilla.org
On Wed, Dec 17, 2014 at 12:52 PM, Sigbjørn Vik <sigbjorn@opera.com> wrote:
> I respectfully, but strongly, disagree :) If you want to separate the
> states, I'd say that C is better than B. C has *some* security, B has
> *none*.

You would advocate not blocking on certificate failures and just hand
over credentials to network attackers? What would happen exactly when
you visit e.g. google.com from the airport (connected to something
with a shitty captive portal)?

Received on Wednesday, 17 December 2014 17:17:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC