[HTTPS-Everywhere] Avira wants to contribute
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Feb 27 19:30:26 PST 2015
On Wed 2015-02-25 14:08:08 -0500, Seth David Schoen wrote:
> Hi Thorsten, nice to hear from you! I just wanted to mention this
> point is discussed in
>
> https://lists.eff.org/pipermail/https-everywhere/2014-January/thread.html#1901
>
> and elsewhere -- you can take a look at the Firefox and Chromium bugs
> that are linked from Jacob's quoted message.
>
> I think I was the person who told you that, and that is the main
> difficulty right now. The problem is that Chromium will block mixed
> content before allowing us to rewrite the insecure URLs to secure URLs,
> even though the resulting secure URLs would no longer count as mixed
> content. The Chromium developers have described this as working as
> intended; for us, it means that there are sites that we could otherwise
> fix that instead we break or else leave insecure.
In discussion on webappsec, several different people (including Mike
West from Google and myself) have suggested that browsers should
experiment with auto-upgrading blockable mixed content from http to
https, since this is strictly no worse from an end user experience than
blocking anyway.
See: http://www.w3.org/mid/CAKXHy=c6KLDQxJHVi_tcYNnEh3ttUHN+RCkuEPjP4BYyUQr-sw@mail.gmail.com
I think this would address many (most?) of the concerns raised by Seth
above.
A patch to Chromium to implement this change would be a nice
contribution.
--dkg
More information about the HTTPS-Everywhere
mailing list