On 01/05/2015 01:52 PM, Peter Eckersley wrote: > We should definitely wade into this thread; I'm strongly of the view > that MCB is making HTTPS harder, and browsers should make the > opportunistic attempts even if they occasionally cause issues. I might > be missing some horrible security flaw, but I can't think of it right > now.
There seem to be three options being discussed when the browser is
directed to fetch an http resource from an https page:
A) (status quo, roughly): the request is disallowed
B) (tbl's apparently proposal): go ahead with http fetch
C) (brad hill's "optimistic" suggestion): try https version of
requested resource instead
Compared to (B), (C) has no security flaws, since a network attacker can
put arbitrary information into the request in (B), whereas the content
of the resource in C is only whatever the resource's server is willing
to produce via https.
I don't see a particular security flaw comparing (C) to (A) either, but
maybe there is one i haven't noticed.
Anyway, if people are willing to consider (B), they certainly shouldn't
reject (C) on security grounds.
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
