Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

They are specifically suggesting that HTTP-only sites not be able to load from third party sites, which is quite a bit different than your interpretation of generally preventing any site from loading any external content. HTTPS ought to be the default and browsers can, and should, move towards that.

But to answer your question more directly, yes they clearly know what they are suggesting.



I note this language in the writeup:

> These attacks would not be successful if the following resources were served over HTTPS instead of HTTP:

> http://push.zhanzhang.baidu.com/push.js; or

> http://js.passport.qihucdn.com/11.0.1.js

This seems overly generous. I personally would not assume that the government of China couldn't persuade Baidu or qihucdn.com to serve government-provided JavaScript.

It also assumes that the end users ("victims") here don't trust any Chinese certificate authority.


I'll speculate that there are sufficient locations failing to use https that they haven't felt a need to use https. I further speculate that China is sufficiently entangled with the international internet that they would prefer not to have their certificate authorities de-listed by the major browser vendors.


> But to answer your question more directly, yes they clearly know what they are suggesting.

Highly unlikely, or else the suggestion would be to just ban http all-together. Http without the ability to load resources from other domains would break the majority of sites.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: