Re: Proposal: Marking HTTP As Non-Secure from Igor Bukanov on 2014-12-14 (public-webappsec@w3.org from December 2014)

From: Igor Bukanov <igor@mir2.org>
Date: Sun, 14 Dec 2014 19:34:24 +0100
To: Chris Palmer <palmer@google.com>
Cc: Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
Message-ID: <CADd11yUhgfBj9RMBaqc_v8Khg9k8C4xe=b2Mo+GwB9uKdu3-ug@mail.gmail.com>

On 14 December 2014 at 18:59, Chris Palmer <palmer@google.com> wrote:

>
> Yes, unfortunately we have a collective action problem. (
> http://en.wikipedia.org/wiki/Collective_action#Collective_action_problem)
> But just because it's hard, doesn't mean we don't have try. I'd suggest
> that embedders ask embeddees to at least make HTTPS available, even if not
> the default.
>
> Also, keep in mind that this proposal is only to mark HTTP as non-secure —
> HTTP will still work, and you can still host your site over HTTP.
>

If serving context over HTTPS generates broken pages, the insensitive of
enabling encryption is very low. As it was already mentioned, a solution to
that is to allow to serve encrypted pages over HTTP so pages that refer to
unencrypted elements would not break pages but just produces warnings. Such
encrypted http:// also allows to generate less warnings for a page where
all context is available over self-signed and key-pinned certificate as
that solution is strictly more secure then a plain HTTP.

Received on Monday, 15 December 2014 08:56:36 UTC