- From: Eduardo Robles Elvira <edulix@agoravoting.com>
- Date: Tue, 29 Jul 2014 01:54:29 +0200
- To: "Hill, Brad" <bhill@paypal.com>
- Cc: Brad Hill <hillbrad@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hello Brad & others: On Mon, Jul 28, 2014 at 8:17 PM, Hill, Brad <bhill@paypal.com> wrote: > This is longstanding behavior, is under the control of the resource owner, and has a clear meaning: you are attempting a secure connection but we can't verify to whom you are connecting. Even so, this has proven very problematic for users to interpret correctly and is a source of many false positive security warnings. Right, it's a longstanding behavior, so it's similar to a design principle. It was just an example to show that this kind of security warnings are already there and have been there for long time, it's not new - not that I like that specific one. And as you mention it can be problematic, but it's there for a purpose. I wouldn't make them so bold and in-your-face, but the a-download-link-integrity use-case is not a corner-case. There are already quite a few websites trying to do similar things, with poor results because there's no standard nor usable way to do it. It's going to be more usable than what people are already doing (saying "check this hash", which people doesn't usually check, but the browser could do it automatically and easily), and as a result, more websites will use this feature, and the web will be more secure overall, with a simple change in SRI. That's why it would be a shame if we miss the opportunity to add this to SRI. > We just had no interest whatsoever at the time of our rechartering in implementing a feature that would have to ask the user something like: "The content at the other end of this link is not the same at the content the creator of this link specified. It may have changed and still be legitimate content intended by the resource owner, or may be content intended by the resource owner but considered illegitimate by the author of this link, or the page may have been modified in a manner unauthorized by the resource owner, or the author of the link may have incorrectly specified what they expected. We cannot give you *any information whatsoever* as to the nature or extent of the changes. Continue?" Security vs. usability, round 100+1 :-). I understand that what to some (like me or Julian) makes a lot sense now, might not make sense to the people making in the standard at the time. That's why I like that we have an open mailing list to comment these things. The warning doesn't need to be worded as you worded. It sure can, in a hidden optional "more details" section. By default it could just say "This content is labeled as insecure by the web site, do you really want to continue?" or something similar. I'd let usability people figure the wording. Regards, Eduardo
Received on Monday, 28 July 2014 23:55:26 UTC