W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Chris Bentzel <cbentzel@chromium.org>
Date: Thu, 18 Dec 2014 20:30:49 -0500
Message-ID: <CABJO0QKnhtMyKhBMe9PEcr_enCe4C+LbsCev1PDZWB3gfaTrDQ@mail.gmail.com>
To: Monica Chew <mmc@mozilla.com>
Cc: Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Dec 18, 2014 at 4:18 PM, Monica Chew <mmc@mozilla.com> wrote:
> On Thu, Dec 18, 2014 at 12:27 PM, Chris Palmer <palmer@google.com> wrote:
>>
>> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <mmc@mozilla.com> wrote:
>>
>> > I support the goal of this project, but I'm not sure how we can get to a
>> > point where showing warning indicators makes sense. It seems that about
>> > 67%
>> > of pageviews on the Firefox beta channel are http, not https. How are
>> > Chrome's numbers?
>>
>> Currently, roughly 58% of top-level navigations in Chrome are HTTPS.
>
>
> Thanks for the numbers. That's a significant gap (58% vs 33%). Do you have
> any idea why this might be the case?

It's possible this is due to Firefox not counting same-frame
navigations (fragment change, pushState) as top-level navigations.

I added Navigation.MainFrameSchemeDifferentPage recently which
excludes these navigations, and the fraction of navigations that are
https is significantly lower.

This has only made it to dev channel, so I'm hesitant to put too much
weight on the results at this point. But it might at least be
consistent.


That being said, I'd prefer metrics which would be "Mean Active
Browsing Time Between Warnings" rather than page load based metrics -
both because they may be easier to be consistent, and because it's
possibly closer to a measure of warning fatigue.

>
>>
>>
>> > Security warnings are often overused and therefore ignored [1]; it's
>> > even
>> > worse to provide a warning for something that's not actionable. I think
>> > we'd
>> > have to see very low plaintext rates (< 1%) in order not to habituate
>> > users
>> > into ignoring a plaintext warning indicator.
>>
>> (a) Users are currently habituated to treat non-secure transport as
>> OK. The status quo is terrible.
>>
>> (b) What Peter Kasting said: we propose a passive indicator, not a
>> pop-up or interstitial.
>
>
> I understand the desire here, but a passive indicator is not going to change
> the status quo if it's shown 42% of the time (or 67% of the time, in
> Firefox's case). Other passive indicators (e.g., Prop 65 warnings if you
> live in California, or compiler warnings that aren't failures) haven't
> succeeded in changing the status quo. Again, what's the action that typical
> users are going to take when they see a passive indicator?
>
> Thanks,
> Monica
Received on Friday, 19 December 2014 13:52:16 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC