- From: Jeffrey Walton <noloader@gmail.com>
- Date: Wed, 8 Jul 2015 12:13:10 -0400
- To: Francois Marier <francois@mozilla.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Wed, Jul 8, 2015 at 10:43 AM, Francois Marier <francois@mozilla.com> wrote: > Is there a reason why the mixed content spec doesn't use the same > definition of "potentially secure origin" as the powerful features spec? > > In particular, "http://localhost" is potentially secure in POWER but not > in MIX. > Another related, open question is the interaction with TLS-PSK and TLS-SRP. Neither require the server to send a certificate, so it may cause some oddities. One of the oddities is server identity continuity, where the bad guy stands up his own server and then tricks the client to cough up its secrets to the malicious server. In this case, there's no need to break into the app, or dismantle the sandbox on the client side with things like JB devices. The bad guy picks a password, sets it on the server, and then uses it on the client. So it will be interesting to see if that server is trusted in the same esteem as other cipher suites where server identity can be positively identified over time (modulo the overrides in HPKP). Jeff
Received on Wednesday, 8 July 2015 16:13:38 UTC