Re: Draft finding - "Transitioning the Web to HTTPS" from Paul Libbrecht on 2015-01-19 (www-tag@w3.org from January 2015)

From: Paul Libbrecht <paul@hoplahup.net>
Date: Mon, 19 Jan 2015 13:51:52 +0100
To: Anne van Kesteren <annevk@annevk.nl>
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-Id: <380D3E29-BD41-4DE1-B86A-6F9FAB0E720C@hoplahup.net>

>> You got it right: we need to teach users to differentiate.
>> 
>> And that could be done by UIs.
>> Users' banks, and most financial statements sites, are probably identified
>> by an EV cert… that's quite a difference to a startSSL cert in terms of UIs
>> nowadays.
>> That difference would be enough already to my taste.
> 
> No way. That is way too subtle a distinction. Users are not going to
> remember what type of certificate a site used and based on that decide
> to not work with it next time around (if it changed).

The big green spot is not enough a differentiation?
E.g. as in here?      http://direct.hoplahup.net/tmp/paypal-ev-cert-display-safari.png
I really disagree, it is not hard to differentiate.
How could I differentiate a cert booked at startssl.com for whatwg.org and wahtwg.org ? It'd be quite easy for me to register the second and request a cert at startssl.com. And it'd be barely more trustable than a self-signed-cert.

> Not to mention that this would still leak all your credentials given that those are
> scoped by origin.

Please stop saying we are steadily under attack. We are not.
And in many many many cases in common use on the web, we do not care if we would be.

Paul

Received on Monday, 19 January 2015 12:52:33 UTC