Re: Proposal: Prefer secure origins for powerful new web platform features

On Fri, Jun 27, 2014 at 4:38 PM, Yan Zhu <> wrote:

>>     * (https, *, *)
>>     * (wss, *, *)
>>     * (*, localhost, *)
>>     * (*, 127/8, *)
>>     * (*, ::1/128, *)
>>     * (file, *, —)
>>     * (chrome-extension, *, —)
>> This list may be incomplete, and may need to be changed. Please discuss!
> What are your thoughts on private address space IPs?

Note that UAs should increasingly disprefer IP addresses in X.509
certs as CNs or as SANs, and IIRC the CABF's Baseline Requirements no
longer allow CAs to issue such certs, and if the origin is remote then
it can only be secure with the help of TLS or something like it.

So, sort of: "That shouldn't be happening."

But, also, it seems like a bad idea to let access
powerful features when you're on the hotel wifi.

> An example of this would be a router admin interface on that
> can be accessed either over plain HTTP or HTTPS with a self-signed cert,
> which offers little protection from network attackers anyway.

Right. But:

* Do such routers need access to fancy things like Service Workers or
Missile Launch Control Panel?
* They are computationally indistinguishable from a dubious person's
web server on the hotel wifi.
* I have another idea for how to handle authetnication for Internet Of
Things, but that's another thread entirely and we shan't go there just
yet. :)

Received on Friday, 27 June 2014 23:59:21 UTC