Re: Proposal: Marking HTTP As Non-Secure from Alex Gaynor on 2014-12-14 (public-webappsec@w3.org from December 2014)

From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sun, 14 Dec 2014 18:00:58 +0000
To: Chris Palmer <palmer@google.com>, Igor Bukanov <igor@mir2.org>
Cc: Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
Message-ID: <CAFRnB2U_bOqrTkGYybpbRUBB+KuemOftUAOCjHkGS0uHKAdW9g@mail.gmail.com>

Chris,

Is there a plan for HTTP to eventually have an interstitial, the way HTTPS
with a bogus cert does?

Alex

On Sun Dec 14 2014 at 9:59:22 AM 'Chris Palmer' via Security-dev <
security-dev@chromium.org> wrote:

> On Sat, Dec 13, 2014 at 8:56 AM, Igor Bukanov <igor@mir2.org> wrote:
>
> Free SSL certificates helps, but another problem is that activating SSL
>> not only generates warnings, but just break the site due to links to
>> insecure resources. Just consider a case of old pages with a few youtube
>> videos served using http iframes. Accessing those pages over https stops
>> the videos from working as browsers blocks access to active insecure
>> context. And in case of youtube one can fix that, but for other resources
>> it may not be possible.
>>
>
> Yes, unfortunately we have a collective action problem. (
> http://en.wikipedia.org/wiki/Collective_action#Collective_action_problem)
> But just because it's hard, doesn't mean we don't have try. I'd suggest
> that embedders ask embeddees to at least make HTTPS available, even if not
> the default.
>
> Also, keep in mind that this proposal is only to mark HTTP as non-secure —
> HTTP will still work, and you can still host your site over HTTP.
>
>
>> So what is required is ability to refer to insecure context from HTTPS
>> pages without harming user experience.
>>
>
> No, because that reduces or eliminates the security guarantee of HTTPS.
>
>
>> For example, it should be a way to insert http iframe into https site.
>> Similarly, it would be nice if a web-developer could refer to scripts,
>> images etc. over http as long as the script/image tag is accompanied with a
>> secure hash of known context.
>>
>
> Same thing here. The security guarantee of HTTPS is the combination of
> server authentication, data integrity, and data confidentiality. It is not
> a good user experience to take away confidentiality without telling users..
> And, unfortunately, we cannot effectively communicate that nuance. We have
> enough trouble effectively communicating the secure/non-secure distinction
> as it is.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-dev+unsubscribe@chromium.org.
>

Received on Monday, 15 December 2014 08:56:17 UTC