W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [MIX] Is origin an authenticated origin?

From: Mike West <mkwst@google.com>
Date: Thu, 23 Oct 2014 16:24:18 +0200
Message-ID: <CAKXHy=cuQ3_qkqP01BJSYFLR+R=zbJrX1H-7W261DZEJ22YATg@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Thu, Oct 23, 2014 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Thu, Oct 23, 2014 at 3:58 PM, Mike West <mkwst@google.com> wrote:
> > As of Chrome 41: "Sites with end-entity certificates that expire on or
> after
> > 1 January 2017, and which include a SHA-1-based signature as part of the
> > certificate chain, will be treated as “affirmatively insecure”.
> Subresources
> > from such domain will be treated as “active mixed content”. "
> But isn't that the same as a network error? (As in, not in need of the
> "weakly authenticated" bit.)

No, for two reasons:

1. We're not blocking all requests from SHA-1 laden servers, just those
that are subresources of non-SHA-1-laden HTTPS documents. So we need to
have mixed content checking logic down in Blink somewhere; we can't just
blindly kill the request entirely.

2. We allow users to toggle blockable mixed content on via an omnibox icon
(similar to what Firefox has started doing with mixed script, etc.). So we
can't just blindly kill the request.

Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 23 October 2014 14:25:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:41 UTC