On Mon, Aug 18, 2014 at 1:24 PM, Dave Warren <[email protected]> wrote:
> > Like with so many things in security, there is an obvious security vs > usability tradeoff here, is it better to return an insecure version of a > page, or an error message and an unusable site? > > Obviously if this is a permanent situation, the rule should be disabled > and removed, but in the case of a temporary error on the HTTPS side, I'd be > very nervous about automatically removing a layer of security. Oh definitely -- I was thinking @jsha's proposal was on the development / codebase side, not client extension side. Though maybe things change so rarely it makes sense to manually validate all disabled rules. > > > -- > Dave Warren > http://www.hireahit.com/ > http://ca.linkedin.com/in/davejwarren > > > _______________________________________________ > HTTPS-Everywhere mailing list > [email protected] > https://lists.eff.org/mailman/listinfo/https-everywhere > -- Nick Semenkovich Laboratory of Dr. Jeffrey I. Gordon Medical Scientist Training Program School of Medicine Washington University in St. Louis https://nick.semenkovich.com/
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
