- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Mon, 2 Jun 2014 08:03:37 -0700
- To: Ryan Sleevi <rsleevi@chromium.org>
- Cc: Mike West <mkwst@google.com>, Daniel Veditz <dveditz@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, palmer@chromium.org, Brad Hill <bhill@paypal.com>, Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> I believe that we have debated with Mozilla on this in the past as to > whether this was bug or feature. Our (Chrome) view is that its feature, and > that it is more important to warn authors about the potential mixed-content > than it is to have users relying on HSTS. Mozilla was debating whether or > not the mixed content checking should happen based upon the effective > transport. I agree that we should warn authors. But, the current Chrome (and Firefox?) design warns the user in addition to the author. This has 2 disadvantages: first, and probably most important, is warning fatigue. A number of researchers have suggested that showing fewer warnings actually improves efficacy of warnings when we do end up showing them. Second, imagine you are the security engineer for awesomesauce social network. You fought the good fight and turned on HSTS but now every time some developer writes HTTP by mistake, the user is shown a warning despite the fact that the user was never vulnerable.Now your manager is angry at you: if we really needed train developers to write HTTPS every where, what was the huge fuss about turning on HSTS? I am not sure what the solution is, nor am I sure whether it is in the purview of this spec to talk about the UI shown to the user. cheers Dev
Received on Monday, 2 June 2014 15:04:25 UTC