- From: Brad Hill <hillbrad@gmail.com>
- Date: Mon, 28 Jul 2014 17:31:46 -0700
- To: Chris Palmer <palmer@google.com>
- Cc: Eduardo Robles Elvira <edulix@agoravoting.com>, public-webappsec@w3.org, Julian Reschke <julian.reschke@gmx.de>, "Hill, Brad" <bhill@paypal.com>
- Message-ID: <CAEeYn8hAf+eKZ0iHdvcP-7AvezDWxem4-C42QVnyVhH8QdffTw@mail.gmail.com>
Just to be clear, I'm not arguing against SRI for downloads, just for navigable uses of anchors. On Jul 28, 2014 5:13 PM, "Chris Palmer" <palmer@google.com> wrote: > On Mon, Jul 28, 2014 at 4:54 PM, Eduardo Robles Elvira > <edulix@agoravoting.com> wrote: > > >> We just had no interest whatsoever at the time of our rechartering in > implementing a feature that would have to ask the user something like: "The > content at the other end of this link is not the same at the content the > creator of this link specified. It may have changed and still be > legitimate content intended by the resource owner, or may be content > intended by the resource owner but considered illegitimate by the author of > this link, or the page may have been modified in a manner unauthorized by > the resource owner, or the author of the link may have incorrectly > specified what they expected. We cannot give you *any information > whatsoever* as to the nature or extent of the changes. Continue?" > > > > Security vs. usability, round 100+1 :-). I understand that what to > > some (like me or Julian) makes a lot sense now, might not make sense > > to the people making in the standard at the time. That's why I like > > that we have an open mailing list to comment these things. The warning > > doesn't need to be worded as you worded. It sure can, in a hidden > > optional "more details" section. By default it could just say "This > > content is labeled as insecure by the web site, do you really want to > > continue?" or something similar. I'd let usability people figure the > > wording. > > This is not really a case of usability vs. security. (That dichotomy > is usually false, and this case is a perfect example.) > > As Brad's sarcastic-but-realistic dialog box text illustrates, this is > a case of bad usability + no real security guarantee vs. doing no > (new) harm. Doing no harm is definitely preferable to creating a bad > user experience and yet also not providing any real > (provable/enforceable at run-time) security — the worst of both > worlds. > > No amount of wordsmithing the UI string will fix it. > > The run-time provable, run-time enforceable way is for sites to serve > download pages and the downloaded files themselves via HTTPS with > valid certificates, and then to make use of (for code downloads) > whatever code-signing mechanism the destination platform provides > (every platform provides some kind of code authentication now). >
Received on Tuesday, 29 July 2014 00:32:14 UTC