Re: [blink-dev] Proposal: Marking HTTP As Non-Secure from Mathias Bynens on 2014-12-13 (public-webappsec@w3.org from December 2014)

From: Mathias Bynens <mathiasb@opera.com>
Date: Sat, 13 Dec 2014 18:33:20 +0100
To: Chris Palmer <palmer@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-ID: <CAPgoku1=hNu3qYp18qqBhWuP_R0y_NHnnj1_vDkSORuTEvpkmg@mail.gmail.com>

On Sat, Dec 13, 2014 at 1:46 AM, 'Chris Palmer' via blink-dev <
blink-dev@chromium.org> wrote:
>
> We know that people do not generally perceive the absence of a warning
> sign. (See e.g. The Emperor's New Security Indicators
> <http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf>.)
> Yet the only situation in which web browsers are guaranteed not to warn
> users is precisely when there is no chance of security: when the origin is
> transported via HTTP. Here are screenshots of the status quo for non-secure
> domains in Chrome, Safari, Firefox, and Internet Explorer:
>
> [image: Screen Shot 2014-12-11 at 5.08.48 PM.png]
>
> [image: Screen Shot 2014-12-11 at 5.09.55 PM.png]
>
> [image: Screen Shot 2014-12-11 at 5.11.04 PM.png]
>
> [image: ie-non-secure.png]
>

For completeness sake, here’s what a non-secure looks like in Opera:

Received on Monday, 15 December 2014 08:57:08 UTC