W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Stephen Gallagher <peanut98989@gmail.com>
Date: Wed, 17 Dec 2014 09:18:35 -0800 (PST)
To: security-dev@chromium.org
Cc: public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
Message-Id: <e5553479-84a4-4d2a-859f-3a12f7519c6b@chromium.org>
As a web developer, I feel that this proposal is missing the point somewhat.

For the typical end-user browsing general purpose sites, the biggest risk is not interception of traffic, but vulnerabilities on the back-end, and HTTPS does absolutely nothing to address this. 

Making a more prominent indication of site "security" risks mis-interpretation by end users that their data is in fact secure, which is not the case in reality - especially since most users won't differentiate between transport security and back-end security.

Additionally, many sites simply don't have the type of content or interaction that requires the added complexity of HTTPS, even if it's perceived as an easy upgrade in tech circles. An overly intrusive "non-secure" indicator could lead to end-user confusion in these cases. 

After users realise that these sites are not in fact stealing their data, the effectiveness of the indicator as a valid tool is diminished, since it has already flagged a false positive in the eyes of the end user.

I believe these and other nuances should be carefully taken into account when considering this proposition.
Received on Thursday, 18 December 2014 14:20:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC