- From: <bugzilla@jessica.w3.org>
- Date: Wed, 04 Jun 2014 22:49:21 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972
Mark Watson <watsonm@netflix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |watsonm@netflix.com
--- Comment #8 from Mark Watson <watsonm@netflix.com> ---
Since Netflix was mentioned above ...
Our site is served over HTTP because this is necessary in order to access
content files (which are also served over HTTP from CDNs) without triggering
mixed-mode warnings. We use WebCrypto with our control protocol. Our security
goals are relatively modest: for example we would like to keep our control
protocol data secret from passive monitoring. There may be information of
competitive value that could be obtained from widespread monitoring of our
control traffic - and there is passive monitoring equipment widely deployed -
but that value is much less than the cost of establishing a widespread active
man-in-the-middle attack.
So, I agree with Boris that the API should be available everywhere. As
repeatedly discussed, the API contains more than enough cryptographic rope for
the non-expert to hang themselves with. Restricting to secure origins won't
help with that. On the other hand, contrary to Ryan's assertion, there exist
some modest security goals which can be achieved using WebCrypto on an insecure
origin.
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Wednesday, 4 June 2014 22:49:23 UTC