Comment by JoshTriplett
8 years ago
> A site using Flexible SSL is no less secure than one using http://,
It can be, in several ways. Most critically, it stops browsers from detecting the connection as insecure and applying mitigations.
8 years ago
> A site using Flexible SSL is no less secure than one using http://,
It can be, in several ways. Most critically, it stops browsers from detecting the connection as insecure and applying mitigations.
Beyond Secure cookies, what mitigations are you thinking of? Secure cookies don't count because serving Secure cookies over Flexible SSL is no less secure than serving regular cookies over http://.
In addition to limiting certain browser features to HTTPS sites, browsers now also warn about submitting passwords over HTTP and mark pages that do so as insecure.
Browsers also prevent HTTPS sites from embedding active content from HTTP sites.
Many browser features (like location API) are gradually being deprecated from plaintext HTTP.
Interesting. I hadn't heard of that before. Looks like it's just Chrome doing this?
1 reply →