W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Monica Chew <mmc@mozilla.com>
Date: Thu, 18 Dec 2014 18:33:41 -0800
Message-ID: <CAGSmrUvgQ5pcCq5gmVvrij3x4RyOHW37wH70droOd2aQPNo=DA@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
> > Other passive indicators (e.g., Prop 65 warnings if you
> > live in California, or compiler warnings that aren't failures) haven't
> > succeeded in changing the status quo.
>
> Citation needed...?
>

For Prop 65, last paragraph of
http://en.wikipedia.org/wiki/California_Proposition_65_%281986%29#Warning_label.
For compiler warnings, just my own anecdotal experience that they aren't
attended unless -Werror is true, even if the person compiling is in a
position to fix the warning.

> Again, what's the action that typical
> > users are going to take when they see a passive indicator?
>
> First, keep in mind that you can't argue that showing the passive
> indicator will be both ignored and crying wolf. It's one or the other.
> Which argument are you making?
>

I'm making the argument that most people will ignore passive indicators,
the ones who notice it will be frustrated because it's not actionable
(other than not visiting the site), especially at the non-HTTPS traffic
rates we are seeing, and that there are probably better ways to put
pressure on site operators. Sorry if that wasn't clear.

Thanks,
Monica
Received on Friday, 19 December 2014 13:52:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC