W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CfC to publish FPWD of "Upgrade Insecure Resources"; Deadline Feb 17th.

From: Jim Manico <jim.manico@owasp.org>
Date: Tue, 10 Feb 2015 19:57:28 +0100
Message-ID: <-4508264785565850389@unknownmsgid>
To: Crispin Cowan <crispin@microsoft.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Wendy Seltzer <wseltzer@w3.org>, Peter Eckersley <pde@eff.org>, yan zhu <yan@mit.edu>
> That there should be a “strict” mode e.g. for banks that want absolutely all traffic encrypted, and a “slack” mode e.g. for mashup web sites that want to encrypt all of their own content, but not that coming from some other web sites that they are pulling from.


Slack makes no sense to me; if the adversarial observer on your
network sees part of the page loaded via HTTP they can inject their
own content and game over. You are either all HTTPS or not HTTPS,
right?

--
Jim Manico
@Manicode
(808) 652-3805

> On Feb 10, 2015, at 7:12 PM, Crispin Cowan <crispin@microsoft.com> wrote:
>
> That there should be a “strict” mode e.g. for banks that want absolutely all traffic encrypted, and a “slack” mode e.g. for mashup web sites that want to encrypt all of their own content, but not that coming from some other web sites that they are pulling from.
Received on Tuesday, 10 February 2015 18:58:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC