- From: Werner Baumann <werner.baumann@onlinehome.de>
- Date: Fri, 20 Jul 2012 09:36:39 +0200
- To: ietf-http-wg@w3.org
Am Thu, 19 Jul 2012 20:01:35 +0000 schrieb "Poul-Henning Kamp" <phk@phk.freebsd.dk>: > In message <20120719184924.GM16208@1wt.eu>, Willy Tarreau writes: > > >As usual, Adam gave a nice description there, and I'm sure many of > >us are aware of the issues he describes. I'm among those who > >consider that having only some pages of a site secured is dangerous. > >Either the site is clear or it's not. > > What about sites that are HTTP until you log in, then switch to > HTTPS ? > > That's a perfectly fair & sensible way to avoid spending resources > on non-paying visitors. > Looking at Adam's example: the problem is not mixing of HTTP and HTTPS. The error happens when the user follows a non-trustworthy link and then believes it to be secure because its HTTPS. These dangerous links are not restricted to HTTP-sites they may be in HTTPS-sites as well (and other places). There is only one way to defend against this: the *user* must verify, and be able to verify, that the HTTPS-url is the one she wants. The first step in user security is always the informed decision by the user. No way around. Technical means can only assist (and should assist and not confuse). The current state of helping the user to make informed decisions is very bad. The infamous dialog on unverifyable certificates is just one example. Telling users they are secure because it is HTTPS or all-HTTPS wil make things worse. Regarding banking: my bank advices me to type the HTTPS-url of the login page by hand. I think this is good advice. But they are not consequent and offer a link on their HTTP-site as well. Werner
Received on Friday, 20 July 2012 07:37:19 UTC