Re: HSTS, mixed content, and priming from Richard Barnes on 2015-08-25 (public-webappsec@w3.org from August 2015)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Tue, 25 Aug 2015 11:04:39 -0400
To: Brian Smith <brian@briansmith.org>
Cc: Tanvi Vyas <tvyas@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAOAcki-jywfYusW+t5F=hFqnTxfxNqO5jis3cLwquZanZ2U2Mw@mail.gmail.com>

On Tue, Aug 25, 2015 at 3:38 AM, Brian Smith <brian@briansmith.org> wrote:

> Tanvi Vyas <tvyas@mozilla.com> wrote:
>
>> On Aug 24, 2015, at 11:24 PM, Brian Smith <brian@briansmith.org> wrote:
>>
>> Neither "priming" nor u-i-r are secure against an active MitM so websites
>> cannot rely on them for security. Websites need to use https://
>> subresource links to actually be secure.
>>
>>
>> How so?  Neither priming or u-r-i has to make an HTTP request. The
>> browser makes an HTTP request only when priming fails.
>>
>
> The MitM can block the priming request/response.
>

In that case, you're just back in the state we're in today, with normal
mixed content blocking.

--Richard



>
> Cheers,
> Brian
> --
> https://briansmith.org/
>
>

Received on Tuesday, 25 August 2015 15:05:12 UTC