W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Sun, 21 Dec 2014 11:12:35 +0200
Message-ID: <CAJQvAudRXhQPqnEPquyYp7kRN2GiOKuMzRemcXL-JO=N8XEvHg@mail.gmail.com>
To: Monica Chew <mmc@mozilla.com>
Cc: blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Chris Palmer <palmer@google.com>
On Dec 18, 2014 10:12 PM, "Monica Chew" <mmc@mozilla.com> wrote:

> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think
> we'd have to see very low plaintext rates (< 1%) in order not to habituate
> users into ignoring a plaintext warning indicator.

If the indicator is initially unobtrusive (e.g. in Firefox changing the
light gray globe to a darker gray eye) and the doorhanger just states the
truth about the lack of confidentiality, integrity and authenticity,
positive effects can be had even if the bulk of users ignore it. As long as
it makes site operators are uneasy with users maybe realizing the truth
about http being insecure as opposed to neutral, this may well lead to side
operators choosing to switch to https. That is, this initiative can be a
success even if most users ignore it, because most users don't need to be
the audience for them to benefit. The audience needs to be site operators
and a subset of users that the site operators don't want to alienate.
Received on Sunday, 21 December 2014 09:12:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC