W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Chris Palmer <palmer@google.com>
Date: Thu, 18 Dec 2014 18:55:44 -0800
Message-ID: <CAOuvq214Z1VSK4ZraiVHy=G7-Y_ALL7ph91GnK8K785dB4tMfg@mail.gmail.com>
To: Monica Chew <mmc@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Dec 18, 2014 at 6:33 PM, Monica Chew <mmc@mozilla.com> wrote:

> I'm making the argument that most people will ignore passive indicators, the
> ones who notice it will be frustrated because it's not actionable (other
> than not visiting the site),

Users can take actions like these:

* Use the site, but maybe not grant it Geolocation or Camera permission
* Use the site, but be aware that it's not a great place to talk about
sensitive topics
* Use the site, but be aware that these stock price listings might not
be 100% true
* Use the site, but ask the operator why the browser thinks it's Non-Secure
* Use a competing site that does use secure transport
* Hug their real cat instead of looking at cats on the screen

Rather than thinking of it like California Proposition 65, think of it
like those health inspection stores that restaurants have to show:
http://sfscores.com/. Maybe a score of 63 isn't high enough for you,
or maybe you'll get something packaged or heavily cooked.

The truth is sometimes gross, but there are actions you can take.

> especially at the non-HTTPS traffic rates we
> are seeing, and that there are probably better ways to put pressure on site
> operators. Sorry if that wasn't clear.

This is a proposal to tell users the truth, and to stop lying by omission.

If some users pressure site operators (either with tech support calls
or by exerting market pressure), or if site operators decide
unilaterally that they don't like the truth and then choose to fix it,
that is a second-order effect. A good second-order effect which makes
me happy, but it's not my primary goal with this proposal.
Received on Friday, 19 December 2014 02:56:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC