- From: Jim Manico <jim.manico@owasp.org>
- Date: Tue, 10 Feb 2015 19:57:28 +0100
- To: Crispin Cowan <crispin@microsoft.com>
- Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Peter Eckersley <pde@eff.org>, yan zhu <yan@mit.edu>
> That there should be a “strict” mode e.g. for banks that want absolutely all traffic encrypted, and a “slack” mode e.g. for mashup web sites that want to encrypt all of their own content, but not that coming from some other web sites that they are pulling from. Slack makes no sense to me; if the adversarial observer on your network sees part of the page loaded via HTTP they can inject their own content and game over. You are either all HTTPS or not HTTPS, right? -- Jim Manico @Manicode (808) 652-3805 > On Feb 10, 2015, at 7:12 PM, Crispin Cowan <crispin@microsoft.com> wrote: > > That there should be a “strict” mode e.g. for banks that want absolutely all traffic encrypted, and a “slack” mode e.g. for mashup web sites that want to encrypt all of their own content, but not that coming from some other web sites that they are pulling from.
Received on Tuesday, 10 February 2015 18:58:03 UTC