On 14 December 2014 at 20:47, Michal Zalewski <lcamtuf@google.com> wrote: > The main point of having a visible and stable indicator for encrypted > sites is to communicate to the user that the site offers a good degree > of resilience against the examination or modification of the exchanged > data by network attackers. > Then browser should show absolutely no indications of secure origin for encrypted http://. The idea is that encrypted http:// experience would be equivalent to the current http experience with no indications of security and no warnings. However, encrypted http:// with insecure elements will start to produce warnings in the same way a future browser will show warnings for plain http. Without something like this I just do not see how a lot of sites could ever start enabling encryption unconditionally. I.e. currently enabling https requires to modify content often in a significant way. I would for a site operator to have an option to enabling encryption unconditionally without touching the content.
Received on Monday, 15 December 2014 08:56:36 UTC