W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: UPGRADE: 'HTTPS' header causing compatibility issues.

From: Mike West <mkwst@google.com>
Date: Thu, 9 Jul 2015 08:39:37 +0200
Message-ID: <CAKXHy=fYE_w38wMZ-gRTzBX_JkqanjwaWTDxetvgJMex6VC4KA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Tanvi Vyas <tanvi@mozilla.com>, Mark Nottingham <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Richard Barnes <rbarnes@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Ilya Grigorik <igrigorik@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Brian Smith <brian@briansmith.org>
It feels like a distinction without meaning, especially given that we know
passive monitoring is happening on a wide scale. Calling unencrypted
transport affirmatively "insecure" seems fairly reasonable.

On Jul 9, 2015 06:54, "Martin Thomson" <martin.thomson@gmail.com> wrote:

> On 8 July 2015 at 21:44, Richard Barnes <rbarnes@mozilla.com> wrote:
> > If the web can live with "Referer", it can live with this.  But it seems
> > roughly the same order of magnitude.  It makes me "sic" :)
> Sounds about right. Find another perspective, like 'update-to-secure'
> if you want to avoid seeming insecure.
Received on Thursday, 9 July 2015 06:40:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC