On 4/14/15 16:32, northrupthebandg...@gmail.com wrote:
*By logical measure*, the [connection] that is encrypted but unauthenticated is
more secure than the one that is neither encrypted nor authenticated, and the
fact that virtually every HTTPS-supporting browser assumes the precise opposite
is mind-boggling.
That depends on what kind of resource you're trying to access. If the
resource you're trying to reach (in both circumstances) isn't demanding
security -- i.e., it is an "http" URL -- then your logic is sound.
That's the basis for enabling OE.
The problem here is that you're comparing:
* Unsecured connections working as designed
with
* Supposedly secured connections that have a detected security flaw
An "https" URL is a promise of encryption _and_ authentication; and when
those promises are violated, it's a sign that something has gone wrong
in a way that likely has stark security implications.
Resources loaded via an "http" URL make no such promises, so the
situation isn't even remotely comparable.
--
Adam Roach
Principal Platform Engineer
a...@mozilla.com
+1 650 903 0800 x863
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
