W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: [MIX] Require HTTPS scripts to be able to anything HTTP scripts can do.

From: Chris Palmer <palmer@google.com>
Date: Thu, 8 Jan 2015 10:31:25 -0800
Message-ID: <CAOuvq20JRArEOPbRS2=Z_hfEqizeLiucVSP9KG8ZikfN0kiWOw@mail.gmail.com>
To: Chaals from Yandex <chaals@yandex-team.ru>
Cc: Mark Watson <watsonm@netflix.com>, Jim Manico <jim.manico@owasp.org>, Jeffrey Yasskin <jyasskin@google.com>, Tim Berners-Lee <timbl@w3.org>, Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Jan 8, 2015 at 4:32 AM,  <chaals@yandex-team.ru> wrote:

> advertisements for luxury apartments in the newly privatised Pentagon) are

:)

> And option 4 is to keep discussing for a few more years. This is a problem
> that will probably go away one day, as people suck up the cost of securing
> everything, or republish the interesting unsecured things from a more secure
> server.

That is a viable option, indeed.

> As another motivating example, it seems Project Gutenberg doesn't seem to
> use https connections. To be honest, I don't care. Even in an e-book reader
> that imports a hacked King James that says "Thou shalt kill". If we are
> relying on HTTPS for people to correctly interpret the commandment in
> question, I think we're chasing the wrong problem with our solutions.

What about if a network attacker inserts a fuzzed king-james.epub that
exploits a vulnerability in your book reading app?

https://firstlook.org/theintercept/2014/08/15/cat-video-hack/
Received on Thursday, 8 January 2015 18:31:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC