Re: CfC to publish FPWD of "Upgrade Insecure Resources"; Deadline Feb 17th.

> That there should be a “strict” mode e.g. for banks that want absolutely all traffic encrypted, and a “slack” mode e.g. for mashup web sites that want to encrypt all of their own content, but not that coming from some other web sites that they are pulling from.


Slack makes no sense to me; if the adversarial observer on your
network sees part of the page loaded via HTTP they can inject their
own content and game over. You are either all HTTPS or not HTTPS,
right?

--
Jim Manico
@Manicode
(808) 652-3805

> On Feb 10, 2015, at 7:12 PM, Crispin Cowan <crispin@microsoft.com> wrote:
>
> That there should be a “strict” mode e.g. for banks that want absolutely all traffic encrypted, and a “slack” mode e.g. for mashup web sites that want to encrypt all of their own content, but not that coming from some other web sites that they are pulling from.

Received on Tuesday, 10 February 2015 18:58:03 UTC