- From: Glen <glen.84@gmail.com>
- Date: Mon, 13 Apr 2015 11:10:06 +0200
- To: Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Well protecting some is better than protecting none at all. [silly example] If you keep getting prompted to scan for viruses and you keep dismissing it (and/or not reading the message), and you have a virus, whose fault is that? Also: - I don't believe that it will be that frequent. A lot of the larger sites are already on HTTPS (Google, Facebook, Twitter, etc.), and many more will follow, especially if Firefox/Chrome refuse to support HTTP/2 without TLS. - The message does not have to be "obscure", it could be written in layman's terms, with links to additional information. Do you honestly believe that letting users unknowingly submit private data (including passwords) over HTTP is the better option? Glen. On 2015/04/13 03:34, Amos Jeffries wrote: > On 12/04/2015 9:23 p.m., Glen wrote: >> That's a good point. However, at the end of the day, what one person >> thinks is confidential may not be the same to somebody else. >> >> Silly examples: >> >> - I'm searching about some embarrassing illness, and I don't realize >> that someone may be tracking this information. >> - I'm submitting my CV from my current work place, who monitor traffic, >> and I don't want them to find out. >> >> Without a warning you may not think about this. >> >> Yes, passwords, CC numbers, ID numbers, etc. are more private, but where >> do you draw the line? What about my physical address? >> >> At a *minimum*, this type of warning should be displayed when submitting >> a form that contains a password field. Unfortunately, there are no >> built-in input fields for other types of private data, and checking for >> common labels might not be that easy or effective. >> >> Yes, many people will hit "ignore" without even reading the prompt, but >> you can never control that, and if their information is compromised, >> it's their fault entirely. > Yes you/we can control that. Easily understood message(s) occuring > rarely get read and decided on. Frequently occuring obscure message gets > a rote-learned "go away" response. > > There are now 2 generations of users out there with decades of training > to click-away the TLS warning messages (and any other message that looks > similar) and malware authors are already taking advantage of that on a > large scale. > > Amos > > > . >
Received on Monday, 13 April 2015 09:10:39 UTC