Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do. from Mark Watson on 2015-01-05 (public-webappsec@w3.org from January 2015)

From: Mark Watson <watsonm@netflix.com>
Date: Mon, 5 Jan 2015 15:01:35 -0800
To: Jim Manico <jim.manico@owasp.org>
Cc: Chris Palmer <palmer@google.com>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAEnTvdCrbVWXcVmKDRdtz3Gf3vVe4rXh8Nt+YO=Wm1Zao_WCaQ@mail.gmail.com>

On Mon, Jan 5, 2015 at 2:50 PM, Jim Manico <jim.manico@owasp.org> wrote:

> > A site that is almost entirely HTTPS, but with HTTP used to retrieve
> some data resources, seems to be better than having the site entirely HTTP,
> no ?
>
> I'd say no. Once you let any part of your website be loaded over HTTP,
> HTTPS is completely undermined. The benefits of confidentiality,
> integrity and authenticity only exist when your entire site is HTTPS.
> I see mixed content and HTTP as being the same, essentially.
>

FWIW, if all the resources retrieved over HTTP were protected with
sub-resource-integrity, then I think you have lost only some
confidentiality and you still have integrity and authenticity.

...Mark



>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> > On Jan 5, 2015, at 4:53 PM, Mark Watson <watsonm@netflix.com> wrote:
> >
> > A site that is almost entirely HTTPS, but with HTTP used to retrieve
> some data resources, seems to be better than having the site entirely HTTP,
> no ?
>

Received on Monday, 5 January 2015 23:02:03 UTC