I like the general idea here. It's similar to how you download a file in the background while still giving it the name and directory you want. In this case you are downloading content while simultaneously deciding if it is trustworthy.
That said there are 2 issues to consider. The first is that any content you receive can be used against you by installing malware and such. This is the primary (and easiest) way to pwn your device. This risk / attack vector is a far more menacing threat than MITM--for my money anyway. So what this means is that all files received would have to be treated with care before they can be used. This means not only html and javascript of course but also css files and images. Still, I think there are ways this can be managed such that you get the performance benefit without necessarily compromising security. The second issue is one of privacy. Anything you send, including the URL path, can be used to identify you and reveal information about you. This is how email marketers try to figure out if you've read their message. So, when it comes to communicating on a partially secured link, you want to be aware of how much you actually want to reveal. Personally I don't see this risk as being any worse than using the Internet generally, but still something to keep in mind. Like I said, I think this a good idea and is worth developing further. Would be good to get feedback from some of the Mozilla dev's though. Original Message From: John Nagle Sent: Friday, April 18, 2014 2:51 PM Subject: Re: Convergence (really MITM detection) ... One way to ameliorate the performance problem is to display the page before third party validation has been complete, but delay form input, the appearance of the lock icon, and sending of any data from client to server until third party validation checks out. So you can see a login page immediately, but the "submit" button won't take effect until validation checks out. If it doesn't check out, the user gets an alert, of course, and nothing gets sent. This delay has to include any client to server communication initiated from the page, including cookie replies. Otherwise a fake page can steal credentials stored by the browser. This is probably worth putting into Firefox if any kind of third party cert validation goes in. The alternative, stalling page load and display, would degrade performance as observed by users. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy