W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Marking HTTP As Non-Secure

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 18 Dec 2014 10:29:27 -0500
Message-ID: <5492F2D7.7040105@fifthhorseman.net>
To: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi Patrick--

Thanks for reading the proposal and giving feedback.

On 12/17/2014 05:42 AM, Patrick Kolodziejczyk wrote:

>  I don't like the idea of saying HTTP is not secure, by default.

I don't think any of the arguments you've presented are good reasons to
continue displaying http without a non-secure indicator.

> It's like hidding for read a new paper. Yes, if it's a problem to do it, it's better that we make it private stuff. But IF we think it's not a problem and shouldn't be, then we have to make sur it's stay "safe and public".

All the information in the newspaper can be public, but you might still
not want everyone to know which articles in the newspaper you are
interested in reading.

Among other things, HTTPS provides some confidentiality to *the act of
reading*, but does not restrict web sites from publishing public data.

> Plus, the fact that source of information start to adjust there discours in function of there reader.

This is possible under cleartext HTTP too, as well.  Not only that, but
other parties can also adjust the information as a function of the reader:

 http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/
 http://www.wired.com/2014/10/verizons-perma-cookie/

(these links were in the article you linked)

> Making it private, make sur that no one will ever verify that.

No one is verifying that they received the same data as others have
received right now with cleartext HTTP or with HTTPS.  But even if they
were, marking HTTP as non-secure wouldn't prevent anyone from doing so.

Regards,

	--dkg


Received on Thursday, 18 December 2014 15:29:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC