W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>
Date: Fri, 19 Dec 2014 15:36:47 +0000
To: Monica Chew <mmc@mozilla.com>
CC: "\"public-webappsec@w3.org\"" <public-webappsec@w3.org>
Message-ID: <1419003407390.56496@viseo.com>
> Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS, redirect HTTPS to HTTP, and don't support HSTS. Perhaps search providers could use those to penalize rankings, as Google already does for non HTTPS sites. Efforts to make it cheap and easy to deploy HTTPS also need to advance.

In a prefect world Yes. But don't !
I work in a place where HTTPS traffic not allowed (certificate auto-signed by the proxy) (So, they can see what we access))
And we can't access site with HSTS (cause UA refuse to). That is more painful that "just" have a security issue.

So times, I have to use outdated UA because of that. That bring even more problem on the table.

This initiative is good, if about inform the user. But if the goal is to make every site only using HSTS.
Some of us will be left behind, cause they can't change the network policy of they society. (We are not in a perfect work)

It's really about helping people making the better decision in their situation, not the best "just" the better possible.


Patrick Kolodziejczyk
Ingénieur Conception et Développement
BU technologies - Groupe Viseo
190, rue Garibaldi - 69003 LYON
Tél.  +33 (0)4 72 33 78 30
http://www.viseo.com<http://objetdirect.com/>
Received on Friday, 19 December 2014 15:37:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC