- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Thu, 08 Jan 2015 14:06:13 +0000
- To: Jeffrey Yasskin <jyasskin@google.com>, Mark Watson <watsonm@netflix.com>
- Cc: Chris Palmer <palmer@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec\@w3.org" <public-webappsec@w3.org>
On Mon 2015-01-05 22:08:47 +0000, Jeffrey Yasskin wrote:
> That sounds plausible too. So two options on the table so far are:
>
> * Use the passive-mixed-content treatment, the locked yellow triangle on
> https://support.google.com/chrome/answer/6098869.
> * Use the http treatment: the non-lock document on
> https://support.google.com/chrome/answer/6098869, subject to future changes
> per [Marking HTTP As Non-Secure].
>
> (I suppose the third option so far is "OMG Don't do this !!1!!1" :)
And the fourth option, as suggested multiple places in this discussion,
is to optimistically attempt https connections to the http subresources.
If they fail, they will fail no worse than an arbitrary network attack
against the cleartext resource.
If we're thinking about incentives to convert from to https, the
optimistic http->https conversion would give the legacy data sources an
additional incentive to convert.
--dkg
Received on Thursday, 8 January 2015 14:06:32 UTC