|
|
|
|
|
|
by ta76893547
2040 days ago
|
|
|
> - HTTP access, insecure and some browser functionality is unavailable for pages/SPA's served over HTTP. > - HTTPS and tell the user (maybe in a previous HTTP page before a redirect) to dismiss the browser big warning. That's not really true though, right? I think the options are actually: - HTTP access, insecure and some browser functionality is unavailable for pages/SPA's served over HTTP. - HTTPS, insecure and tell the user (maybe in a previous HTTP page before a redirect) to dismiss the browser big warning, but some more web APIs work. Unless I'm mistaken with a self-signed cert you gain none of the actual security guarantees of https with a CA mostly stemming from the fact that there is no authenticity and MITM is trivial. I think it's a bad idea to pretend to a user that a connection is secure if it actually isn't. The solution I think would be to open up web apis to local http connections and create a verification system for self-signed devices like signal, matrix, and probably other systems have. |
|
|
- "Not secure" for HTTP
- "Low security" for HTTPS encrypted but not authenticated (MITM still possible)
- "High security" for HTTPS encrypted and authenticated