- From: Chris Palmer <palmer@google.com>
- Date: Mon, 3 Nov 2014 16:28:00 -0800
- To: Joel Weinberger <jww@chromium.org>
- Cc: Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 4:02 PM, Joel Weinberger <jww@chromium.org> wrote: >> Although it would be desirable for every site to use HTTPS, >> I don't think that SRI is the right way of promoting this. > > This isn't a matter of promoting HTTPS; it's a matter of suggesting to users > and developers that they're getting a security property that they're simply > not getting. Exactly. I'm increasingly concerned about this idea, popping up in several contexts now, that there can be any security at all without at least strong server authentication, data integrity, and data confidentiality. Like, we need those as the baseline minimum, so that we can *begin* to think about the next problems, like metadata confidentiality. Putzing around in the margins like this (Better Than Nothingism) is not going to help users.
Received on Tuesday, 4 November 2014 00:28:27 UTC