Re: War on Mixed Content - Why?

Sun, 18 Aug 2013 00:33:46 -0700 

On 16/08/13 20:09 PM, Kevin Chadwick wrote:

and the thread Subject is spot on.


How about

War on mixed content - why not?

Warnings have been popping up for as long as I can remember so the
likely hood is that if they haven't fixed the site, they have chosen not
to. I could understand an argument that the warning could have changed
to a "this will be blocked in future" (a deprecation warning) but
other than that I think this is the right thing even if it can be a
little annoying very occasionally for the time being.




Sure, but warnings are useless.  Some people -- us -- might follow them. 
 Most have been trained for so long to click through them that they no 
longer read them.  Click-thru syndrome is a sad result of unreliable 
systems:  if the False Negatives (wrong warnings) are too frequent, and 
True Negatives (correct warnings) are too infrequent, then it simply 
doesn't work [0] as people learn to click-thru without further examination.




I don't believe in ssl everywhere at all. It is an answer to a problem
that should be tackled directly and could make things worse, privacy
wise, DOS wise and energy usage wise etc..




I agree your criticism against ssl-everywhere has merit.  But we have no 
choice.  Only the browser vendors have a choice, and they have chosen. 
Move on...




Heck Xombrero has taken the spot from firefox as my favourite browser
today and I hate to think how much energy would be saved if everyone
could or was using it (brill but not the easiest to use at first but
the easiest once mastered or if you use vi and doesn't run on Windows).

There is no need for mixed content and why would you use plain text and
ssl at the same time, a user only makes one request at a time and web
pages are tiny. Really a site should only come from one domain too.




Huh?  Have you seen a modern website lately?  It's chock full of all 
sorts of modern stuff ... The average site signs up for 10 or so 
services all spamming your privacy data across like so much confetti.



We live in the world of the possible, not the idealised world.  And by 
"we" I mean, the billion or so web users as well as the relatively tiny 
geek/developer quorum that produces the browser for the users.




iang





[0] I don't know for sure, but it is my suspicion that bayesian 
statistics explains this more clearly.  If there is anyone in the house 
that actually knows it, please speak...

_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

























					Reply via email to