Re: Proposal: Marking HTTP As Non-Secure

On Sun, Dec 14, 2014 at 11:08 AM, 'Chris Palmer' via Security-dev
<> wrote:
> On Sun, Dec 14, 2014 at 10:53 AM, Igor Bukanov <> wrote:
>> I.e. just consider that currently a hosting provider has no option to
>> unconditionally encrypt pages they host for modern browsers as that may
>> break pages of the users. With encrypted http:// they get such option
>> delegating the job of fixing warnings about insecure context to the content
>> producers as it should.
> I'm sorry; I still don't understand what you mean. Do you mean that you want
> browsers to treat some hypothetical encrypted HTTP protocol as if it were a
> secure origin, but still allow non-secure embedded content in these origins?

I'm also not clear on what Igor intended, but there is a real issue
with browser presentation of URLs using TLS today.  There is no way to
declare "I know that this page will have insecure content, so don't
consider me a secure origin" such that the browser will show a
"neutral" icon rather than a warning icon.  I think there is a strong
impression that a closed lock is better than neutral, but a yellow
warning sign over the lock is worse than neutral.  Today prevents
sites from using HTTPS unless they have a very high confidence that
all resources on the page will come from secure origins.


Received on Monday, 15 December 2014 08:56:18 UTC