W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Chris Palmer <palmer@google.com>
Date: Fri, 12 Dec 2014 17:32:27 -0800
Message-ID: <CAOuvq22wtLYukdDC5pcSmtb8M5=VPmUZX6_C0fEq56tE60wvYQ@mail.gmail.com>
To: Eduardo Robles Elvira <edulix@agoravoting.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Fri, Dec 12, 2014 at 5:17 PM, Eduardo Robles Elvira <
edulix@agoravoting.com> wrote:

* The biggest problem I see is that to get an accepted certificate
> traditionally you needed to pay. This was a show-stopper for having TLS
> certs in small websites. Mozilla, EFF, Cisco, Akamai are trying to fix that
> [1] and that StartSSL gives free certificates though. Just stating the
> obvious: you either get easy and free "secure" certificates, or this
> proposal is going to make some webmasters angry.
Oh yes, absolutely. Obviously, Let's Encrypt is a great help, and SSLMate's
ease-of-use and low price is great, and CloudFlare's free SSL helps too.

Hopefully, as operations like those ramp up, it will get increasingly
easier for web developers to switch to HTTPS. We (Chrome) will weigh
changes to the UX very carefully, and with a close eye on HTTPS adoption.
Received on Saturday, 13 December 2014 01:32:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC