> The goal of this thread is to determine whether there is support in the > Mozilla community for a plan of this general form. Developing a precise > plan will require coordination with the broader web community (other > browsers, web sites, etc.), and will probably happen in the W3C. >
>From the user/sysadmin point of view it would be very helpful to have >information on how the following issues will be handled: 1) Caching proxies: resources obtained over HTTPS cannot be cached by a proxy that doesn't use MITM certificates. If all users must move to HTTPS there will be no way to re-use content downloaded for one user to accelerate another user. This is an important issue for locations with many users and poor internet connectivity. 2) Self signed certificates: in many situations it is hard/impossible to get certificates signed by a CA (e.g. provisioning embedded devices). The current approach in many of these situations is not to use HTTPS. If the plan goes into effect what other solution could be used? Regarding problem 1: I guess that allowing HTTP for resources loaded with subresource integrity could be some sort of alternative, but would require collaboration from the server owner. Being more work than simply letting the webserver send out automatically caching headers I wonder how many sites will implement it. Regarding problem 2: in my opinion it can be mitigated by offering the user a new standard way to validate self-signed certificates: the user is prompted to enter the fingerprint of the certificate that she must have received out-of-band, if the user enters the correct fingerprint the certificate is marked as trusted (see [1]). This clearly opens up some attacks that should be carefully assessed. Best, Lorenzo [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1012879 _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
