Re: Better download security through browsers

2017-03-28 Thread Frederik Braun
On 27.03.2017 16:21, Daniel Veditz wrote: > On Mon, Mar 27, 2017 at 1:22 AM, Frederik Braun > wrote: > > UI hooks, for the SafeBrowsing > ​ ​ > malicious file checks, where we really, > ​ ​ > really discourage you from using >

Re: Better download security through browsers

2017-03-27 Thread Daniel Veditz
On Mon, Mar 27, 2017 at 1:22 AM, Frederik Braun wrote: > UI hooks, for the SafeBrowsing > ​ ​ > malicious file checks, where we really, > ​ ​ > really discourage you from using > ​ ​ > the downloaded file but you can still click around that with lots of > ​ ​ > left-clicking.

Re: Better download security through browsers

2017-03-27 Thread Frederik Braun
On 24.03.2017 18:24, Mike Hoye wrote: > My 2006 proposal didn't get any traction either. > > https://lists.w3.org/Archives/Public/public-whatwg-archive/2006Jan/0270.html > > > FWIW I still think it'd be a good idea with the right UI. I think we already have _related_ UI hooks, for the

Re: Better download security through browsers

2017-03-27 Thread Gervase Markham
On 24/03/17 17:12, Gregory Szorc wrote: > This got me thinking: why doesn't the user agent get involved to help > provide better download security? What my (not a web standard spec author) > brain came up with is standardized metadata in the HTML for the download > link (probably an ) that defines

Re: Better download security through browsers

2017-03-25 Thread Daniel Veditz
Most people working on sub-resource integrity has wanted to extend SRI to downloads, it was even in the initial version of the spec but foundered in the weeds of edge cases iirc. I don't see an open issue for it though: looks like it got lost in the transition from our old repo to the new one.

Re: Better download security through browsers

2017-03-24 Thread Mike Hoye
Love it. How do we make it happen? - mhoye On 2017-03-24 1:30 PM, Tom Ritter wrote: It seems like SubResource Integrity could be extended to do this... It's specifically for the use case: where you kinda trust your CDN, but you want to be completely sure. -tom On Fri, Mar 24, 2017 at 12:24

Re: Better download security through browsers

2017-03-24 Thread Tom Ritter
It seems like SubResource Integrity could be extended to do this... It's specifically for the use case: where you kinda trust your CDN, but you want to be completely sure. -tom On Fri, Mar 24, 2017 at 12:24 PM, Mike Hoye wrote: > My 2006 proposal didn't get any traction

Re: Better download security through browsers

2017-03-24 Thread Ben Kelly
We now have SRI and support integrity attributes on elements like

Re: Better download security through browsers

2017-03-24 Thread Mike Hoye
My 2006 proposal didn't get any traction either. https://lists.w3.org/Archives/Public/public-whatwg-archive/2006Jan/0270.html FWIW I still think it'd be a good idea with the right UI. - mhoye On 2017-03-24 1:16 PM, Dave Townsend wrote: I remember that Gerv was interested in a similar idea

Re: Better download security through browsers

2017-03-24 Thread Dave Townsend
I remember that Gerv was interested in a similar idea many years ago, you might want to see if he went anywhere with it. https://blog.gerv.net/2005/03/link_fingerprin_1/ On Fri, Mar 24, 2017 at 10:12 AM, Gregory Szorc wrote: > I recently reinstalled Windows 10 on one of my

Better download security through browsers

2017-03-24 Thread Gregory Szorc
I recently reinstalled Windows 10 on one of my machines. This involved visiting various web sites and downloading lots of software. It is pretty common for software publishers to publish hashes or cryptographic signatures of software so the downloaded software can be verified. (Often times the