W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Peter Kasting <pkasting@google.com>
Date: Thu, 18 Dec 2014 12:20:09 -0800
Message-ID: <CAAHOzFC+RL9LdjnFgLsuFne5NbL_h_vhX3ORvT0SdVqQwPb=TA@mail.gmail.com>
To: Monica Chew <mmc@mozilla.com>
Cc: Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <mmc@mozilla.com> wrote:
>
> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think
> we'd have to see very low plaintext rates (< 1%) in order not to habituate
> users into ignoring a plaintext warning indicator.
>

The context of the paper you cite is for a far more intrusive type of
warning than anyone has proposed here.  Interstitials or popups are very
aggressive methods of warning that should only be used when something is
almost certainly wrong, or else they indeed risk the "crying wolf" effect.
Some sort of small passive indicator is a very different thing.

PK
Received on Thursday, 18 December 2014 20:20:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC