You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: admin/100_percent_https_roadmap.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,10 +1,11 @@
1
1
100% HTTPS: Roadmap for the entire Web
2
2
======================================
3
3
4
-
“Just turn on https” isn’t enough.
4
+
Is “Just turn on TLS” and s/http/https/g good enough?
5
5
----------------------------------
6
6
* Mixed content and secure <--> insecure information flows can violate the invariants of secure contexts.
7
7
* Need a plan to manage upgrading static content, including URLs-as-data and URLs-as-stable-identifiers, to work with secure transports.
8
+
* What would it look like if 'http' was a potentially secure scheme?
8
9
9
10
Terminology
10
11
-----------
@@ -16,11 +17,11 @@ E.g.: HTTP GET/POST send data from an application to a resource, XHR reads data
16
17
Starting Assumptions
17
18
----------------------------------
18
19
* Axiom 1: Users cannot meaningfully deal with nuanced security models. A resource is either secure or it is not.
19
-
* Axiom 2: Secure means that the source of information is authenticated, and it has privacy and integrity guarantees in transit between the source and the user.
20
+
* Axiom 2: Secure means that the source of information is authenticated and it has privacy and integrity guarantees in transit between the source and the user.
20
21
* Axiom 3: (controversial?) We should not ask users to make exceptions or bypass security. (follows from Axiom 1)
21
22
* Axiom 4: Applications must be able to require a security contract from user agents on behalf of users.
22
23
23
-
e.g. if Facebook is going to send a security token somewhere on your behalf, we will never do so over an insecure channel or one that is only “optimistically” secure.
24
+
e.g. 4 if Facebook is going to send a security token somewhere on your behalf, it wants to be sure it will never do so over an insecure channel or one that is only “optimistically” secure.
24
25
25
26
The Invariants
26
27
----------------------------------
@@ -134,6 +135,9 @@ What about localStorage, indexedDB?
134
135
Other Issues
135
136
----------
136
137
* DTDs and Namespaces in XML
138
+
139
+
Grab bag
140
+
---------
137
141
* How do we protect anonymous expression on the web in a world of 100% authenticated content?
138
142
- Are Let’s Encrypt and other free DV issuance enough?
0 commit comments