On the topic of XSS it seems funny that https makes you think something is secure when it is often not with XSS. I remember finding an XSS in our high school system. Even though the page was https the XSS allowed you to embed other https sites which let me do malicious things without anyone knowing.
Assuming a website is secure only because it has a padlock, is like assuming a room is secure because it has a padlock. The room might have windows, back doors, or the hinges might be on the outside. Https (reasonably) guarantees confidentiality and integrity of the connection to the server, nothing more and nothing less.
> Https (reasonably) guarantees confidentiality and integrity of the connection to the server, nothing more and nothing less.
Nah, this is pretty wrong. It would be pretty useless (if not dangerous) if that were all it did. The most important thing it establishes is the server's authenticity, i.e. you don't want a tamper-proof and confidential connecting with the wrong server! And moreover, once you can guarantee authenticity, the rest are secondary since they're easy to subsequently establish via key exchange and hashing.
Can you really ensure confidentiality without authenticity though? Seems like you inherently are susceptible to MITM attacks without authenticity. Are there examples of the former without the latter?
With guaranteed confidentiality, you know it's confidential between you and the other party. Who that other party is however... so yeah, I see your point. I'm not sure if there's really a case for keeping these two separate, but that's how it's currently taught in schools (at least in the Netherlands).
That is fair point but I think there should be an option to only enable certain sites as whitelisted sort of like robots file. That would mostly solve the issue.
I do not think this symbol is nor used (in addition with a letter), nor ever called anything but "backtick". it's not an "accent grave" (even if it might be used as it), but a revert appstrophe - backtick or backquote.
The key marked ` is often set as a "dead key" on European keyboard layouts -- typically the layouts where the accent isn't commonly used, but will be needed for typing people and place names, or the occasional foreign word.
With a Danish Mac layout, to type ` I press it then press space. To type è, ì etc, I press `, then press the vowel. Similarly I can use the keys marked ¨ ^ and ´. (The Danish letters æ, ø, å have their own keys, since they are used very frequently.)
So, I would never call it "backtick", since it is a grave accent.
It pisses me off to no end when software uses keyboard shortcuts like Ctrl+anything, unless it's using ASCII control characters (e.g. vi, emacs). Every *nix GUI toolkit knew this until the year-of-desktop-Linux crowd insisted on slavishly imitating every Windows mistake.
The 1967 version of ASCII (which introduced ` along with the other characters like lower case in the same columns) allowed certain characters [`'"~^,] to have a dual role as punctuation [‘’"‾^,] or accents [`´¨˜ˆ¸] — not as some fancy complicated encoding, but simply as type bars that would look OK when overstruck on a letter. The characters ^ ` and ~ were encoded specifically because they could be used as accents. Notwithstanding the name we know it under, ASCII was an international effort.
It is a grave accent. Something which was and still largely is of little use to many that grew up in United States knowing only English. So, such users abused and re-purposed it as a "backtick", which feels like an unfortunate decay due to ignorance. But such things continually happen.
There's a lot of unmaintained client side code out there.