- From: Yoav Nir <ynir.ietf@gmail.com>
- Date: Sun, 12 Apr 2015 01:20:41 +0300
- To: Jim Manico <jim@manico.net>
- Cc: Glen <glen.84@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> On Apr 11, 2015, at 11:45 PM, Jim Manico <jim@manico.net> wrote: > > > But Glen, your idea is still awesome. I think any form post over HTTP should provide the user with a pretty dramatic warning to not hit submit or at lest explain the risk similar to Chromes current pinning warning. > As others have said, browsers did try that. It certainly makes sense to warn if I’m about to submit my credit card number, social security (or equivalent), and other personal information. But any text box is a form. You can’t search Wikipedia without submitting a form. Doing what Glen suggests means that Wikipedia has to go to HTTPS or else have the users receive a warning when they search. So you’d have to have some “don’t bother me again” checkbox on the warning dialog, and that trains users to click this all the time, because you see that dialog box pretty much on any HTTP site. This is a common issue with every kind of UI warning that is most of the time a false positive. Ultimately, unless it’s secret (like a password or a CC number), I don’t think what you send is any more or less sensitive that what you receive. Yoav
Received on Saturday, 11 April 2015 22:21:11 UTC