- From: Chris Palmer <palmer@google.com>
- Date: Fri, 14 Nov 2014 11:38:46 -0800
- To: Brian Smith <brian@briansmith.org>
- Cc: Mark Watson <watsonm@netflix.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Nov 12, 2014 at 6:15 PM, Brian Smith <brian@briansmith.org> wrote: > We're trying to eventually disable all mixed content so that browsers' > security indicators are simple enough to be truly meaningful to > end-users. I think a lot of security and privacy engineers would admit > that the actual security and privacy issues regarding HTTP vs HTTPS > are more nuanced than all-or-nothing, but it seems like all-or-nothing > is all we can expect end-users to understand, so that forces us into > all-or-nothing approaches. I prefer to frame it as "bare minimum or nothing". In any case, it is certainly counter-productive to increase the complexity and nuance.
Received on Friday, 14 November 2014 19:39:14 UTC