W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2013

RE: I revised the pro/contra document

From: Christian Huitema <huitema@huitema.net>
Date: Sun, 24 Nov 2013 23:11:26 -0800
To: "'Eliot Lear'" <lear@cisco.com>, "'Tim Bray'" <tbray@textuality.com>, "'Mike Bishop'" <Michael.Bishop@microsoft.com>
Cc: "'Alexandre Anzala-Yamajako'" <anzalaya@gmail.com>, <ietf-http-wg@w3.org>
Message-ID: <091801cee9ad$9074a2a0$b15de7e0$@huitema.net>
>> I doubt you would bother to install a valid certificate; you'd just use a self-signed cert or something, and because you've said you don't 
>> care about it, you'd ignore the warnings.
>
> This is precisely the behavior you don't want to encourage, not to mention it may not even work at all because of a lack of UI (this is one 
> generates a lot of broken software behavior).

I could sum that as “UA does not have enough information, so the dialog is scary.” Over time, our browsers have evolved to show color codes that reflect some perceived security: green if https and the certificate could be verified, red if https and the certificate could not be verified, neutral if http. Consider now a web site that choses to use a self-signed certificate. If it advertises "https" URI, the browsers will flash red until the users do something really scary. If it advertises "http," then there will be no encryption. It seems that we need a third option, something like "http opportunistic," in which the browser knows that it does not need to put up a warning if the certificate is self-signed. 

-- Christian Huitema
Received on Monday, 25 November 2013 07:14:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:19 UTC