W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 5 Jan 2015 17:50:37 -0500
Message-ID: <8980886934156577364@unknownmsgid>
To: Mark Watson <watsonm@netflix.com>
Cc: Chris Palmer <palmer@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> A site that is almost entirely HTTPS, but with HTTP used to retrieve some data resources, seems to be better than having the site entirely HTTP, no ?

I'd say no. Once you let any part of your website be loaded over HTTP,
HTTPS is completely undermined. The benefits of confidentiality,
integrity and authenticity only exist when your entire site is HTTPS.
I see mixed content and HTTP as being the same, essentially.

--
Jim Manico
@Manicode
(808) 652-3805

> On Jan 5, 2015, at 4:53 PM, Mark Watson <watsonm@netflix.com> wrote:
>
> A site that is almost entirely HTTPS, but with HTTP used to retrieve some data resources, seems to be better than having the site entirely HTTP, no ?
Received on Monday, 5 January 2015 22:51:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC