On Dec 18, 2014 10:12 PM, "Monica Chew" <mmc@mozilla.com> wrote: > Security warnings are often overused and therefore ignored [1]; it's even > worse to provide a warning for something that's not actionable. I think > we'd have to see very low plaintext rates (< 1%) in order not to habituate > users into ignoring a plaintext warning indicator. If the indicator is initially unobtrusive (e.g. in Firefox changing the light gray globe to a darker gray eye) and the doorhanger just states the truth about the lack of confidentiality, integrity and authenticity, positive effects can be had even if the bulk of users ignore it. As long as it makes site operators are uneasy with users maybe realizing the truth about http being insecure as opposed to neutral, this may well lead to side operators choosing to switch to https. That is, this initiative can be a success even if most users ignore it, because most users don't need to be the audience for them to benefit. The audience needs to be site operators and a subset of users that the site operators don't want to alienate.
Received on Sunday, 21 December 2014 09:12:59 UTC