W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [SRI] may only be used in documents in secure origins

From: Chris Palmer <palmer@google.com>
Date: Mon, 3 Nov 2014 16:28:00 -0800
Message-ID: <CAOuvq217mg-bgSyerVHWfGb7re_BBRW3mhX0KMZSBNPkWgiEcQ@mail.gmail.com>
To: Joel Weinberger <jww@chromium.org>
Cc: Frederik Braun <fbraun@mozilla.com>, Pete Freitag <pete@foundeo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 4:02 PM, Joel Weinberger <jww@chromium.org> wrote:

>> Although it would be desirable for every site to use HTTPS,
>> I don't think that SRI is the right way of promoting this.
>
> This isn't a matter of promoting HTTPS; it's a matter of suggesting to users
> and developers that they're getting a security property that they're simply
> not getting.

Exactly.

I'm increasingly concerned about this idea, popping up in several
contexts now, that there can be any security at all without at least
strong server authentication, data integrity, and data
confidentiality. Like, we need those as the baseline minimum, so that
we can *begin* to think about the next problems, like metadata
confidentiality.

Putzing around in the margins like this (Better Than Nothingism) is
not going to help users.
Received on Tuesday, 4 November 2014 00:28:27 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC