Re: "Mixed Content" draft up for review - HSTS primary purpose

 > Note that I am only arguing this for HSTS, which is a clear signal of
 > opt-in by the server operator, and for which the primary purpose is to
 > hide 'user' mistakes (forgetting the scheme in the URL bar) rather than
 > 'author' mistakes.

Well, it of course depends upon the mindset of the 'server operator'. From 
both my perspective as an HSTS author (and Adam B. & Colin in their original 
ForceHTTPS paper), and my day job at PayPal (i.e., one of them 'server 
operators'), we value the HSTS policy equally as a protection for both user 
and developer 'mistakes'.

Note also that we explicitly didn't prioritize between those two (sub-)use 
cases in the HSTS spec <>..

   2.1. Use Cases

      The high-level use case is a combination of:

      o  Web browser user wishes to interact with various web sites (some
         arbitrary, some known) in a secure fashion.

      o  Web site deployer wishes to offer their site in an explicitly
         secure fashion for their own, as well as their users', benefit.



Received on Tuesday, 3 June 2014 00:10:58 UTC