- From: Mike West <mkwst@google.com>
- Date: Thu, 23 Oct 2014 16:24:18 +0200
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CAKXHy=cuQ3_qkqP01BJSYFLR+R=zbJrX1H-7W261DZEJ22YATg@mail.gmail.com>
On Thu, Oct 23, 2014 at 4:16 PM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Thu, Oct 23, 2014 at 3:58 PM, Mike West <mkwst@google.com> wrote: > > As of Chrome 41: "Sites with end-entity certificates that expire on or > after > > 1 January 2017, and which include a SHA-1-based signature as part of the > > certificate chain, will be treated as “affirmatively insecure”. > Subresources > > from such domain will be treated as “active mixed content”. " > > But isn't that the same as a network error? (As in, not in need of the > "weakly authenticated" bit.) > No, for two reasons: 1. We're not blocking all requests from SHA-1 laden servers, just those that are subresources of non-SHA-1-laden HTTPS documents. So we need to have mixed content checking logic down in Blink somewhere; we can't just blindly kill the request entirely. 2. We allow users to toggle blockable mixed content on via an omnibox icon (similar to what Firefox has started doing with mixed script, etc.). So we can't just blindly kill the request. -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Thursday, 23 October 2014 14:25:07 UTC