[HTTPS-Everywhere] [Technologists] what percentage of https everywhere rules are "simple" upgrades?
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jan 5 11:58:26 PST 2015
On 01/05/2015 01:52 PM, Peter Eckersley wrote:
> We should definitely wade into this thread; I'm strongly of the view
> that MCB is making HTTPS harder, and browsers should make the
> opportunistic attempts even if they occasionally cause issues. I might
> be missing some horrible security flaw, but I can't think of it right
> now.
There seem to be three options being discussed when the browser is
directed to fetch an http resource from an https page:
A) (status quo, roughly): the request is disallowed
B) (tbl's apparently proposal): go ahead with http fetch
C) (brad hill's "optimistic" suggestion): try https version of
requested resource instead
Compared to (B), (C) has no security flaws, since a network attacker can
put arbitrary information into the request in (B), whereas the content
of the resource in C is only whatever the resource's server is willing
to produce via https.
I don't see a particular security flaw comparing (C) to (A) either, but
maybe there is one i haven't noticed.
Anyway, if people are willing to consider (B), they certainly shouldn't
reject (C) on security grounds.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <https://lists.eff.org/pipermail/https-everywhere/attachments/20150105/12dc5ae2/attachment.sig>
More information about the HTTPS-Everywhere
mailing list