W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: <gshollingsworth@gmail.com>
Date: Wed, 17 Dec 2014 09:29:58 -0800 (PST)
To: security-dev@chromium.org
Cc: public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
Message-Id: <3c9ffcc2-e937-42aa-846d-b5c8c64b52a5@chromium.org>
My comment will focus on the Non-secure (broken HTTPS, HTTP). There is a significant and extremely important security difference between broken HTTPS and HTTP. Assuming the webmaster and web developer properly chose HTTP, it is not intended to be secure but intended for everybody to see. Broken HTTPS is intended to be secure but is not, again same assumption of proper choice by webmaster and web developer. The message to the user should not be the same. Broken HTTPS deserves an alarming declaration of being insecure to warn the user. HTTP deserves  a more gentle reminder message that it is not intended to be secure. If the page content on a HTTP page includes password fields or other clearly identifiable sensitive content fields, then that deserves the same treatment as broken HTTPS.

Webmasters and web developers should be making the appropriate choices for HTTP and HTTPS. Not all web content needs to be served via HTTPS. Users will suffer from alert overload and begin to ignore the important alerts. The simple fact a site is HTTP does not deserve an alert, it depends on the content and context.

I did notice a few comments identifying possible issues when trying to serve include HTTP in an HTTPS page. That is insecure and should not be expected to work. Mixed HTTPS and HTTP has long been identified to users as a security issue and should continue to be.
Received on Thursday, 18 December 2014 14:20:09 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC