On Sat, Jul 05, 2014 at 08:54:55AM +0900, Joel Rees wrote:
And you know, the funny thing is that MSIE took to "warning" people when there was a mix of encrypted and unencrypted data on a page. How long ago? Yeah, I know, it was so they could display that red herring of a lock for "secured pages". You don't need a warning when you are looking at un-encrypted data. You only need a warning if you are _sending_ un-encrypted data.
This kind of threat analysis is why so many of us are still skeptical of the need for HTTPS package mirrors.
Mike Stone