W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Adrienne Porter Felt <felt@chromium.org>
Date: Thu, 18 Dec 2014 12:49:41 -0800
Message-ID: <CAFE8Ch5tzYsr+9sScxG_suDbOuRp6LPagiV97=FtFG=0_Uc-4g@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Dec 18, 2014 at 12:27 PM, 'Chris Palmer' via Security-dev <
security-dev@chromium.org> wrote:
>
> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <mmc@mozilla.com> wrote:
>
> > I support the goal of this project, but I'm not sure how we can get to a
> > point where showing warning indicators makes sense. It seems that about
> 67%
> > of pageviews on the Firefox beta channel are http, not https. How are
> > Chrome's numbers?
>
> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
>

I'm curious about the difference between the two browsers. My guess is that
we're treating same-origin navigations differently, particularly fragment
changes. Monica, is Firefox collapsing all same-origin navigations into a
single histogram entry? Given that people spend a lot of time on a small
number of popular (and HTTPS) sites, it would account for the different
stats.


>
> > Security warnings are often overused and therefore ignored [1]; it's even
> > worse to provide a warning for something that's not actionable. I think
> we'd
> > have to see very low plaintext rates (< 1%) in order not to habituate
> users
> > into ignoring a plaintext warning indicator.
>
> (a) Users are currently habituated to treat non-secure transport as
> OK. The status quo is terrible.
>

I originally shared Monica's reservations --- I don't want to add another
indicator that people will learn to ignore. But people are already ignoring
http because we show no indicator at all, so in the worst case we will end
up in the same place (but at least we will be consistent with how we label
schemes).


>
> (b) What Peter Kasting said: we propose a passive indicator, not a
> pop-up or interstitial.
>
> > Lots of site operators don't support HTTPS, in fact some of them (e.g.,
> > https://nytimes.com and https://monica-at-mozilla.blogspot.com, which
> is out
> > of my control) redirect to plaintext in order to avoid mixed content
> > warnings. I don't think that user agents provided the right incentives in
> > this case, and showing a warning 100% of the time to a NYTimes user seems
> > like a losing battle.
>
> Again, it's a passive indicator; and, the proposal is to *fix* what
> you seem to agree is the wrong incentive.
>
> The NY Times in particular is committed to change and challenges other
> news sites to move to HTTPS:
>
> http://open.blogs.nytimes.com/2014/11/13/embracing-https/
>
> > Why not shift the onus from the user to the site operators?
>
> This isn't about putting an onus on users, it's about allowing users
> to at least perceive the reality. And yes, that will put pressure on
> some site operators. At the same time, the industry is working to make
> HTTPS more usable. These efforts are complementary.
>
Received on Thursday, 18 December 2014 20:50:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC