W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Igor Bukanov <igor@mir2.org>
Date: Sat, 13 Dec 2014 17:56:21 +0100
Message-ID: <CADd11yXq_c6XhXng2iBnOb-NV9p3-RTmT8+khpONT0aQYnTFGw@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
Free SSL certificates helps, but another problem is that activating SSL not
only generates warnings, but just break the site due to links to insecure
resources. Just consider a case of old pages with a few youtube videos
served using http iframes. Accessing those pages over https stops the
videos from working as browsers blocks access to active insecure context.
And in case of youtube one can fix that, but for other resources it may not
be possible.

So what is required is ability to refer to insecure context from HTTPS
pages without harming user experience. For example, it should be a way to
insert http iframe into https site. Similarly, it would be nice if a
web-developer could refer to scripts, images etc. over http as long as the
script/image tag is accompanied with a secure hash of known context.

On 13 December 2014 at 02:32, Chris Palmer <palmer@google.com> wrote:
>
> On Fri, Dec 12, 2014 at 5:17 PM, Eduardo Robles Elvira <
> edulix@agoravoting.com> wrote:
>
> * The biggest problem I see is that to get an accepted certificate
> > traditionally you needed to pay. This was a show-stopper for having TLS
> > certs in small websites. Mozilla, EFF, Cisco, Akamai are trying to fix
> that
> > [1] and that StartSSL gives free certificates though. Just stating the
> > obvious: you either get easy and free "secure" certificates, or this
> > proposal is going to make some webmasters angry.
> >
> >>
> Oh yes, absolutely. Obviously, Let's Encrypt is a great help, and SSLMate's
> ease-of-use and low price is great, and CloudFlare's free SSL helps too.
>
> Hopefully, as operations like those ramp up, it will get increasingly
> easier for web developers to switch to HTTPS. We (Chrome) will weigh
> changes to the UX very carefully, and with a close eye on HTTPS adoption.
> _______________________________________________
> dev-security mailing list
> dev-security@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security
>
Received on Monday, 15 December 2014 08:56:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC