- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Sun, 17 Nov 2013 21:57:22 +0000
- To: Willy Tarreau <w@1wt.eu>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
In message <20131117204928.GA18577@1wt.eu>, Willy Tarreau writes: >1) browser: make the root and/or cert issuer on HTTPS sites for the main > page visible all the time, just like the page's title is currently > visible (add it next to the title or at the bottom ?) That could work for open-source browsers. For closed source browsers of US origin, there's no telling what they can or will tell the user or what relationship that might have with the truth. >2) protocol: add a new "httpe://" scheme Anything which tries to add another scheme is going to be serious uphill work, so it had better be for a reason which amounts to more than some cryptographic mumbo-jumbo 99.9% of webmasters are not entirely sure what means. I don't think your idea clears that hurdle. I think it is a better idea to just stick with "https:" and leave it to the server side to negotiate as much security as they want, and hope that user-agents faithfully indicates this to the user. >3) browser: get rid of the ability to bypass the cert error for HTTPS > (except maybe for developers using a config option). See above. At least 50% of the pervassive surveillance problem is software we cannot trust on the client side. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Sunday, 17 November 2013 21:57:45 UTC