W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2014

Re: SRI: <a> vs integrity

From: Eduardo Robles Elvira <edulix@agoravoting.com>
Date: Tue, 29 Jul 2014 01:54:29 +0200
Message-ID: <CAHwZu3fC=r6fLyoVGoCtkit_RfoEXWoUYZ3CCbWw07BN3w97FQ@mail.gmail.com>
To: "Hill, Brad" <bhill@paypal.com>
Cc: Brad Hill <hillbrad@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hello Brad & others:

On Mon, Jul 28, 2014 at 8:17 PM, Hill, Brad <bhill@paypal.com> wrote:
> This is longstanding behavior, is under the control of the resource owner, and has a clear meaning: you are attempting a secure connection but we can't verify to whom you are connecting.  Even so, this has proven very problematic for users to interpret correctly and is a source of many false positive security warnings.

Right, it's a longstanding behavior, so it's similar to a design
principle. It was just an example to show that this kind of security
warnings are already there and have been there for long time, it's not
new - not that I like that specific one.

And as you mention it can be problematic, but it's there for a
purpose. I wouldn't make them so bold and in-your-face, but the
a-download-link-integrity use-case is not a corner-case. There are
already quite a few websites trying to do similar things, with poor
results because there's no standard nor usable way to do it. It's
going to be more usable than what people are already doing (saying
"check this hash", which people doesn't usually check, but the browser
could do it automatically and easily), and as a result, more websites
will use this feature, and the web will be more secure overall, with a
simple change in SRI. That's why it would be a shame if we miss the
opportunity to add this to SRI.

> We just had no interest whatsoever at the time of our rechartering in implementing a feature that would have to ask the user something like: "The content at the other end of this link is not the same at the content the creator of this link specified.  It may have changed and still be legitimate content intended by the resource owner, or may be content intended by the resource owner but considered illegitimate by the author of this link, or the page may have been modified in a manner unauthorized by the resource owner, or the author of the link may have incorrectly specified what they expected.  We cannot give you *any information whatsoever* as to the nature or extent of the changes.  Continue?"

Security vs. usability, round 100+1 :-). I understand that what to
some (like me or Julian) makes a lot sense now, might not make sense
to the people making in the standard at the time. That's why I like
that we have an open mailing list to comment these things. The warning
doesn't need to be worded as you worded. It sure can, in a hidden
optional "more details" section. By default it could just say "This
content is labeled as insecure by the web site, do you really want to
continue?" or something similar. I'd let usability people figure the

Received on Monday, 28 July 2014 23:55:26 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC