On 13/08/13 10:44 AM, Mikko Rantalainen wrote:
On Tuesday, 13 August 2013 00:59:24 UTC+3, Tanvi Vyas wrote:
I filed a bug for this and welcome feedback and
suggestions: https://bugzilla.mozilla.org/show_bug.cgi?id=903211.
Thanks for the pointers. I added a comment to that bug.
On a side note, Ian mentioned a "neutral" mode for SSL, and I'm unclear
on what that is referring to. Some context would be helpful.
I cannot speak for Ian, but I'd guess "neutral" mode means something along the lines "use
encrypted connection but do not show any additional 'secure' UI decorations". That would be suitable for
cases where site wants to protect the user input and site output but there's no need to convince the user
that the *site* is secure. Kind of "this is normal content that just happens to be transferred over
secure link, allow all stuff that would be allowed if the host document used HTTP connection".
If my interpretation is correct, this is exactly the mode which is required for
painless transition to fully encrypted mode in the future. Currently either you
convert all content to HTTPS connections and do not embed any HTTP content, or
you cannot use HTTPS connection for the host document.
Pretty much. The capability exists in SSL (easily) to do encrypted
links by turning on ADH or self-signed certs automatically. It always
has existed. Because these don't offer much authentication, and they
are basically opportunistic, their protection is not as strong as the
certificate model you are all familiar with. Hence, they don't deserve
much or any indication of a positive nature. So, easy conclusion is to
not turn on the icon / colours / happy face for these modes.
They are however logically and effectively stronger than cleartext HTTP,
because they provide passive encryption at least. And this is where
browser security goes wrong. Instead of promoting them, the browser
vendors ban or condemn them with big red warnings. Their logic is based
on other mis-assumptions, and we don't need to drag in 20 years of old
dead arguments here.
Hence it is a trap of their own makings. The security model is what we
in the trade call "all or nothing", and those sorts of models generally
result in approximately nothing. The challenge then is to move everyone
from close to nothing to closer to all when there ain't nothing in the
middle.
As I say, these are old arguments. I'm only repeating them so that
people understand why the browsers are moving now to ban these forms of
mixed content under HTTPS. Unfortunately, they have to, and the browser
vendors have to sacrifice their users in the process, because the threat
scenario (the hackers and so forth) have been building up over the last
few years so dramatically that now everyone is capable of pointing the
finger at those who did nothing when the warning signs were clear and loud.
iang
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
