Re: Use case - John and Jane from Eric Rescorla on 2013-03-23 (public-webcrypto-comments@w3.org from March 2013)

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 22 Mar 2013 17:39:14 -0700
To: Ryan Sleevi <sleevi@google.com>
Cc: Aymeric Vitte <vitteaymeric@gmail.com>, "public-webcrypto-comments@w3.org" <public-webcrypto-comments@w3.org>
Message-ID: <CABcZeBPuOaWmrEpadBE1hg4w0vS63iSi_z6nzsqYf4=P4KWyOQ@mail.gmail.com>

On Fri, Mar 22, 2013 at 5:38 PM, Ryan Sleevi <sleevi@google.com> wrote:

>
>
>
> On Fri, Mar 22, 2013 at 5:33 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Fri, Mar 22, 2013 at 4:57 PM, Ryan Sleevi <sleevi@google.com> wrote:
>>>
>>>  Scheme is either HTTP or HTTPS. An origin accessed over HTTP is *not*
>>> the same as an origin accessed via HTTPS - because they are different
>>> schemes.
>>>
>>
>> Ryan,
>>
>> I generally agree with your argument here, but I wanted to observe
>> out that there has been some discussion of mechanisms for
>> authenticating JS delivered over HTTP (e.g., script-hash).
>>
>> I don't think this changes your basic point though.
>>
>> -Ekr
>>
>>
> Sure, but that's been in the context of the main page (and therefore
> origin) are delivered over HTTPS, and it securely indicates the script-hash
> for resources to load over HTTP (eg: to permit edge caching).
>
> An HTTP page embedding HTTP resources with script-hash is as insecure as
> an HTTP page embedding HTTPS resources, which is as insecure as an HTTP
> page embedding HTTP resources - the attacker can always modify the HTTP
> page itself.
>
>

I have no argument with this message.

-Ekr

Received on Saturday, 23 March 2013 00:40:23 UTC