Re: [MIX]: Expand scope beyond TLS/non-TLS (Re: "Mixed Content" draft up for review.) from Mike West on 2014-06-10 (public-webappsec@w3.org from June 2014)

From: Mike West <mkwst@google.com>
Date: Tue, 10 Jun 2014 06:21:01 +0200
To: Katharine Berry <katharine@getpebble.com>
Cc: Zack Weinberg <zackw@cmu.edu>, Brian Smith <brian@briansmith.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=d_C_-WA7rth2WVAnT4k9htcr43E6Uxs21HuE1V9qLU9w@mail.gmail.com>

Thanks for the suggestion, Zack!

On Tue, Jun 10, 2014 at 2:48 AM, Katharine Berry <katharine@getpebble.com>
wrote:

> I think we would prefer this proposal, or something like it, over both
> the current, insecure state and one in which we’re forced to hack TLS
> on in an almost pointlessly insecure manner (though given the current
> and imminent state of browsers, we’re probably going to have to
> do that anyway...).
>

Did you give consideration to the suggestion above that developers could
simply be asked to accept a self-signed certificate presented by the device
upon connection? It seems like that would properly put the burden of
bypassing the existing PKI implementations upon the subset of users who
want to develop applications on the web that are distributed to devices
without installing any software.

If it works the way I'm claiming it does (Joel? :) And perhaps someone from
Mozilla can weigh in about their implementation...), it would seem to be a
relatively low burden for that subset of users to bear, and would entail no
change from status-quo for the rest of the web.

-mike

Received on Tuesday, 10 June 2014 04:21:49 UTC