On the topic of XSS it seems funny that https makes you think something is secure when it is often not with XSS. I remember finding an XSS in our high school system. Even though the page was https the XSS allowed you to embed other https sites which let me do malicious things without anyone knowing.
Assuming a website is secure only because it has a padlock, is like assuming a room is secure because it has a padlock. The room might have windows, back doors, or the hinges might be on the outside. Https (reasonably) guarantees confidentiality and integrity of the connection to the server, nothing more and nothing less.
> Https (reasonably) guarantees confidentiality and integrity of the connection to the server, nothing more and nothing less.
Nah, this is pretty wrong. It would be pretty useless (if not dangerous) if that were all it did. The most important thing it establishes is the server's authenticity, i.e. you don't want a tamper-proof and confidential connecting with the wrong server! And moreover, once you can guarantee authenticity, the rest are secondary since they're easy to subsequently establish via key exchange and hashing.
Can you really ensure confidentiality without authenticity though? Seems like you inherently are susceptible to MITM attacks without authenticity. Are there examples of the former without the latter?
With guaranteed confidentiality, you know it's confidential between you and the other party. Who that other party is however... so yeah, I see your point. I'm not sure if there's really a case for keeping these two separate, but that's how it's currently taught in schools (at least in the Netherlands).
That is fair point but I think there should be an option to only enable certain sites as whitelisted sort of like robots file. That would mostly solve the issue.
