W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Donald Stufft <donald.stufft@gmail.com>
Date: Mon, 15 Dec 2014 19:12:25 -0500
Cc: blink-dev@chromium.org, public-webappsec@w3.org, security-dev@chromium.org, dev-security@lists.mozilla.org, felt@chromium.org
Message-Id: <966F4590-FDB9-43B4-958C-E26EE68287D3@gmail.com>
To: ferdy.christant@gmail.com

> On Dec 15, 2014, at 7:10 PM, ferdy.christant@gmail.com wrote:
> 
> "If someone thinks their users are OK with their website not having integrity/authentication/privacy"
> 
> That is an assumption that doesn't apply to every website. Many websites don't even have authentication. 
> 
> "Presumably these users would still be OK with it after Chrome starts making the situation more obvious."
> 
> Or perhaps it doesn't, and it scares them away. Just like with the cookie bars, where now every user believes all cookies are evil. You assume users are able to make an informed decision based on such warnings, and I doubt that.
> 
> "Presumably these users would still be OK with it after Chrome starts making the situation more obvious"


If users are unable to make an informed choice than I personally believe it’s up to the User Agent to try and pick what choice the user most likely wants. I have a hard time imagining that most users, if given the choice between allowing anyone in the same coffee shop to read what they are reading and not allowing, would willingly choose HTTP over HTTPS.

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Received on Tuesday, 16 December 2014 22:47:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC