Re: UPGRADE: 'HTTPS' header causing compatibility issues. from Jonathan Kingston on 2015-07-09 (public-webappsec@w3.org from July 2015)

From: Jonathan Kingston <jonathan@jooped.com>
Date: Thu, 9 Jul 2015 09:08:57 +0100
To: Mike West <mkwst@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Tanvi Vyas <tanvi@mozilla.com>, Mark Nottingham <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Richard Barnes <rbarnes@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Ilya Grigorik <igrigorik@google.com>, Adrian Hope-Bailie <adrian@hopebailie.com>, Brian Smith <brian@briansmith.org>
Message-ID: <CAKrjaaUEOHf6C10Eq-+xXgFkJmd2jieP-FX4QH5VKcXrvNAqPA@mail.gmail.com>

The following is the shorter and perhaps more accurate:
encrypt-insecure: 1

I'd still like:
Prefer: encrypt-insecure

On 9 July 2015 at 07:39, Mike West <mkwst@google.com> wrote:

> It feels like a distinction without meaning, especially given that we know
> passive monitoring is happening on a wide scale. Calling unencrypted
> transport affirmatively "insecure" seems fairly reasonable.
>
> -mike
> On Jul 9, 2015 06:54, "Martin Thomson" <martin.thomson@gmail.com> wrote:
>
>> On 8 July 2015 at 21:44, Richard Barnes <rbarnes@mozilla.com> wrote:
>> > If the web can live with "Referer", it can live with this.  But it seems
>> > roughly the same order of magnitude.  It makes me "sic" :)
>>
>>
>> Sounds about right. Find another perspective, like 'update-to-secure'
>> if you want to avoid seeming insecure.
>>
>

Received on Thursday, 9 July 2015 08:09:27 UTC