On Mon, May 19, 2014 at 12:37 AM, Anne van Kesteren <annevk@annevk.nl>wrote:
> On Mon, May 19, 2014 at 9:12 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> > Obviously, full TLS provide better user protection (for any kind of
> MITM),
> > but I think the above scheme can be used to mitigate SW specific MITM
> > threats, and enable SW over TLS.
> >
> > Thoughts?
>
> I don't think we ever thought it would not be possible to have service
> workers outside HTTPS given sufficient patching, it's just not clear
> that making it substantially different is a good tradeoff. And sites
> that use service workers ought to be using HTTPS anyway.
>
What Anne said. The can(s) of worms that it opens are messy, the
mitigations not sufficiently less onerous than SSL, and the benefits
suspect.
Secure-origins are where it's at. The world needs to be encrypted and we're
going first.
Onward.