On 28 September 2014 17:38, Anne van Kesteren <ann...@annevk.nl> wrote:
> On Sun, Sep 28, 2014 at 3:08 PM, Karl Dubost <kdub...@mozilla.com> wrote: > > Imagine if I home developing my own little Web app on my computer, I > need to get through the hops of deploying TLS. > > For testing purposes you can get by without TLS just fine. As far as I > know the definition of authenticated origin includes localhost. > > What is the definition of 'authenticated origins', particularly when dealing with localhost, I am worried that mine and a lot of devs setup includes setting up a local /etc/hosts file and working in convenient environment in which it will be no longer be possible. Similiarly when setting up ad hoc local networks or creating a standalone intranet, something I do fairly regularly for demos at a conference, hackdays etc This has already been a major painpoint as the author of an IndexedDB library I am fairly constantly asked questions of my library doesnt work when server from file://index.html since the security model deals around the host, it makes things harder for all developers, new ones especially. There is a solution for transmitting private information over the network, and I believe the responsibility is on content authors to decide when that is appropriate and when it is not and not the standards bodies. I agree that any site in production on the live internet transferring users information should be using https, but every website doesnt follow that use case. > > > > Asking everyone to adopt TLS is a bit like asking everyone to switch to > XML. > > Not really. XML requires redesigning your entire application from the > ground up. Adding TLS is a little bit of configuration. Completely > different ballpark. > > > > It doesn't visibly and directly improve the life of people. In the big > scheme of things, it gives an additional layer of security on their > communications, but not privacy. > > It gives privacy from passive and active network attackers, no? > > > > Even more so, telling to people that they have more privacy because the > communication is secure end-to-end is deeply misleading. Secured > geolocations end-to-end to an aggregator such as FourSquare, Google, > Facebook, etc. doesn't change anything about your privacy. > > That's a question of trust, not one of privacy. > > > -- > https://annevankesteren.nl/ > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform