W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2014

Re: SRI, cache validation and ServiceWorkers

From: Alex Russell <slightlyoff@google.com>
Date: Mon, 19 May 2014 15:20:15 -0700
Message-ID: <CANr5HFUJtokmtbeU3V3R2hvKYPWr9041a02_Zxdspy03KgHXJQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Yoav Weiss <yoav@yoav.ws>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, May 19, 2014 at 12:37 AM, Anne van Kesteren <annevk@annevk.nl>wrote:

> On Mon, May 19, 2014 at 9:12 AM, Yoav Weiss <yoav@yoav.ws> wrote:
> > Obviously, full TLS provide better user protection (for any kind of
> MITM),
> > but I think the above scheme can be used to mitigate SW specific MITM
> > threats, and enable SW over TLS.
> >
> > Thoughts?
>
> I don't think we ever thought it would not be possible to have service
> workers outside HTTPS given sufficient patching, it's just not clear
> that making it substantially different is a good tradeoff. And sites
> that use service workers ought to be using HTTPS anyway.
>

What Anne said. The can(s) of worms that it opens are messy, the
mitigations not sufficiently less onerous than SSL, and the benefits
suspect.

Secure-origins are where it's at. The world needs to be encrypted and we're
going first.

Onward.
Received on Monday, 19 May 2014 22:21:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC