Re: Proposal: Marking HTTP As Non-Secure from Monica Chew on 2014-12-19 (public-webappsec@w3.org from December 2014)

From: Monica Chew <mmc@mozilla.com>
Date: Thu, 18 Dec 2014 18:33:41 -0800
To: Chris Palmer <palmer@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-ID: <CAGSmrUvgQ5pcCq5gmVvrij3x4RyOHW37wH70droOd2aQPNo=DA@mail.gmail.com>

> > Other passive indicators (e.g., Prop 65 warnings if you
> > live in California, or compiler warnings that aren't failures) haven't
> > succeeded in changing the status quo.
>
> Citation needed...?
>

For Prop 65, last paragraph of
http://en.wikipedia.org/wiki/California_Proposition_65_%281986%29#Warning_label.
For compiler warnings, just my own anecdotal experience that they aren't
attended unless -Werror is true, even if the person compiling is in a
position to fix the warning.

> Again, what's the action that typical
> > users are going to take when they see a passive indicator?
>
> First, keep in mind that you can't argue that showing the passive
> indicator will be both ignored and crying wolf. It's one or the other.
> Which argument are you making?
>

I'm making the argument that most people will ignore passive indicators,
the ones who notice it will be frustrated because it's not actionable
(other than not visiting the site), especially at the non-HTTPS traffic
rates we are seeing, and that there are probably better ways to put
pressure on site operators. Sorry if that wasn't clear.

Thanks,
Monica

Received on Friday, 19 December 2014 13:52:17 UTC