On Thu, Jan 8, 2015 at 1:32 PM, <chaals@yandex-team.ru> wrote:
> 06.01.2015, 02:03, "Mark Watson" <watsonm@netflix.com>:
>
> On Mon, Jan 5, 2015 at 2:50 PM, Jim Manico <jim.manico@owasp.org> wrote:
>
> > A site that is almost entirely HTTPS, but with HTTP used to retrieve
> some data resources, seems to be better than having the site entirely HTTP,
> no ?
>
> I'd say no. Once you let any part of your website be loaded over HTTP,
> HTTPS is completely undermined. The benefits of confidentiality,
> integrity and authenticity only exist when your entire site is HTTPS.
> I see mixed content and HTTP as being the same, essentially.
>
>
> FWIW, if all the resources retrieved over HTTP were protected with
> sub-resource-integrity, then I think you have lost only some
> confidentiality and you still have integrity and authenticity.
>
>
> More to the point, if the ones that are "very important" (the missile
> launching icons) are protected, but the ones that aren't very important
> (the advertisements for luxury apartments in the newly privatised Pentagon)
> are insecure, you *probably* have an improvement over everything unsecured.
> And I don't think you have anything worse.
>
> Which is why Mark's proposal makes a lot of sense to me. It effectively
> tells the user that things are only as strong as the weakest link.
>
And then weakens the weakest link, right?
Note also Brad's response: SRI is ineffective if you don't know the content
you're interested in loading. It probably helps the Netflix case, but
doesn't address the core concern Tim is raising.
>
> As another motivating example, it seems Project Gutenberg doesn't seem to
> use https connections. To be honest, I don't care. Even in an e-book reader
> that imports a hacked King James that says "Thou shalt kill". If we are
> relying on HTTPS for people to correctly interpret the commandment in
> question, I think we're chasing the wrong problem with our solutions.
>
Really? https://www.gutenberg.org/wiki/Bible/King_James_Version loads just
fine for me. :)
-mike
--
Mike West <mkwst@google.com>, @mikewest
Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)