W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: "Mixed Content" draft up for review.

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Mon, 2 Jun 2014 08:03:37 -0700
Message-ID: <CAPfop_2h8WPj2tK6ow32QKwboCvyqa8accQsMX49jvYu8k6xqQ@mail.gmail.com>
To: Ryan Sleevi <rsleevi@chromium.org>
Cc: Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, palmer@chromium.org, Brad Hill <bhill@paypal.com>, Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I believe that we have debated with Mozilla on this in the past as to
> whether this was bug or feature. Our (Chrome) view is that its feature, and
> that it is more important to warn authors about the potential mixed-content
> than it is to have users relying on HSTS. Mozilla was debating whether or
> not the mixed content checking should happen based upon the effective
> transport.

I agree that we should warn authors. But, the current Chrome (and
Firefox?) design warns the user in addition to the author. This has 2
disadvantages: first, and probably most important, is warning fatigue.
A number of researchers have suggested that showing fewer warnings
actually improves efficacy of warnings when we do end up showing them.

Second, imagine you are the security engineer for awesomesauce social
network. You fought the good fight and turned on HSTS but now every
time some developer writes HTTP by mistake, the user is shown a
warning despite the fact that the user was never vulnerable.Now your
manager is angry at you: if we really needed train developers to write
HTTPS every where, what was the huge fuss about turning on HSTS?

I am not sure what the solution is, nor am I sure whether it is in the
purview of this spec to talk about the UI shown to the user.


cheers
Dev
Received on Monday, 2 June 2014 15:04:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:38 UTC