Re: Draft finding - "Transitioning the Web to HTTPS" from Paul Libbrecht on 2015-01-19 (www-tag@w3.org from January 2015)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Mon, 19 Jan 2015 13:35:29 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-Id: <B3071505-0106-4EE9-8B96-9542D2DD6D93@hoplahup.net>

On 19 janv. 2015, at 13:27, Anne van Kesteren <annevk@annevk.nl> wrote:
>> It is precisely this: recommendations have been expressed in such a way as it could be understood as "we should all rush to everything secure"… but there's no reason for such a rush and the smooth path to something more secure needs a decent support for self-signed-certs, I claim.
> 
> Again, if we train users that self-signed certificates are okay, the
> next time they visit their bank online (and remember, the network
> cannot be trusted) they will lose. Not acceptable.

You got it right: we need to teach users to differentiate.

And that could be done by UIs.
Users' banks, and most financial statements sites, are probably identified by an EV cert… that's quite a difference to a startSSL cert in terms of UIs nowadays.
That difference would be enough already to my taste.

paul

Received on Monday, 19 January 2015 12:36:12 UTC