Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure from Craig Francis on 2014-12-20 (public-webappsec@w3.org from December 2014)

From: Craig Francis <craig.francis@gmail.com>
Date: Sat, 20 Dec 2014 10:04:22 +0000
To: Tyler Larson <tylerl@google.com>
Cc: Monica Chew <mmc@mozilla.com>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-Id: <088833A2-B770-4AFF-929A-1A99A6BC96D5@gmail.com>

> On 19 Dec 2014, at 23:37, 'Tyler Larson' via Security-dev <security-dev@chromium.org> wrote:
> 
> In current implementations, there's no signaling by the browser to say "this site isn't encrypted." There's the *absence* of signaling about security, but that's not the same thing as positively saying that a site was delivered over an insecure channel.

This is why some websites get away with changing their Favicon to a lock, or even showing a lock image on the page ("see our site is secure")... It's much easier than buying a certificate :-P

It would be better if there was something in the browser... e.g. a red unlocked padlock, with a cross over it, where a HTTPS site either shows a gold/green locked icon, or nothing at all (as the browser doesn't know if the website has other security problems)... then there would be a consistent/better indicator of the connection state.

Craig

Received on Monday, 22 December 2014 16:58:46 UTC