Re: Proposal: Marking HTTP As Non-Secure

On 14 December 2014 at 18:59, Chris Palmer <palmer@google.com> wrote:

>
> Yes, unfortunately we have a collective action problem. (
> http://en.wikipedia.org/wiki/Collective_action#Collective_action_problem)
> But just because it's hard, doesn't mean we don't have try. I'd suggest
> that embedders ask embeddees to at least make HTTPS available, even if not
> the default.
>
> Also, keep in mind that this proposal is only to mark HTTP as non-secure —
> HTTP will still work, and you can still host your site over HTTP.
>

If serving context over HTTPS generates broken pages, the insensitive of
enabling encryption is very low. As it was already mentioned, a solution to
that is to allow to serve encrypted pages over HTTP so pages that refer to
unencrypted elements would not break pages but just produces warnings. Such
encrypted http:// also allows to generate less warnings for a page where
all context is available over self-signed and key-pinned certificate as
that solution is strictly more secure then a plain HTTP.

Received on Monday, 15 December 2014 08:56:36 UTC