W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: Definition of secure origin in MIX and POWER

From: Jeffrey Walton <noloader@gmail.com>
Date: Wed, 8 Jul 2015 12:13:10 -0400
Message-ID: <CAH8yC8n9WnKdM1Um7mDJrmP=a_cwUX1TCLdfCWn7F4-f3gguWw@mail.gmail.com>
To: Francois Marier <francois@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 8, 2015 at 10:43 AM, Francois Marier <francois@mozilla.com> wrote:
> Is there a reason why the mixed content spec doesn't use the same
> definition of "potentially secure origin" as the powerful features spec?
>
> In particular, "http://localhost" is potentially secure in POWER but not
> in MIX.
>
Another related, open question is the interaction with TLS-PSK and
TLS-SRP. Neither require the server to send a certificate, so it may
cause some oddities.

One of the oddities is server identity continuity, where the bad guy
stands up his own server and then tricks the client to cough up its
secrets to the malicious server. In this case, there's no need to
break into the app, or dismantle the sandbox on the client side with
things like JB devices. The bad guy picks a password, sets it on the
server, and then uses it on the client.

So it will be interesting to see if that server is trusted in the same
esteem as other cipher suites where server identity can be positively
identified over time (modulo the overrides in HPKP).

Jeff
Received on Wednesday, 8 July 2015 16:13:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC