- From: <bugzilla@jessica.w3.org>
- Date: Wed, 04 Jun 2014 22:49:21 +0000
- To: public-webcrypto@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25972 Mark Watson <watsonm@netflix.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |watsonm@netflix.com --- Comment #8 from Mark Watson <watsonm@netflix.com> --- Since Netflix was mentioned above ... Our site is served over HTTP because this is necessary in order to access content files (which are also served over HTTP from CDNs) without triggering mixed-mode warnings. We use WebCrypto with our control protocol. Our security goals are relatively modest: for example we would like to keep our control protocol data secret from passive monitoring. There may be information of competitive value that could be obtained from widespread monitoring of our control traffic - and there is passive monitoring equipment widely deployed - but that value is much less than the cost of establishing a widespread active man-in-the-middle attack. So, I agree with Boris that the API should be available everywhere. As repeatedly discussed, the API contains more than enough cryptographic rope for the non-expert to hang themselves with. Restricting to secure origins won't help with that. On the other hand, contrary to Ryan's assertion, there exist some modest security goals which can be achieved using WebCrypto on an insecure origin. -- You are receiving this mail because: You are on the CC list for the bug.
Received on Wednesday, 4 June 2014 22:49:23 UTC