W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Igor Bukanov <igor@mir2.org>
Date: Mon, 15 Dec 2014 10:16:45 +0100
Message-ID: <CADd11yVBqRVgz8tP1zKhkaCr01L4gVKdaBzZ2u0piZ8inaP23Q@mail.gmail.com>
To: Peter Bowen <pzbowen@gmail.com>
Cc: Chris Palmer <palmer@google.com>, Eduardo Robles Elvira <edulix@agoravoting.com>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>
On 14 December 2014 at 23:57, Peter Bowen <pzbowen@gmail.com> wrote:

>  I think there is a strong
> impression that a closed lock is better than neutral, but a yellow
> warning sign over the lock is worse than neutral.

The problem is not just a warning sign.

Browsers prevents any active context including iframe served over http from
loading. Thus showing a page with youtube and other videos over https is
not an option unless one fixes the page. Now consider that it is not a
matter of running sed on a set of static files but rather patching the
stuff stored in the database or fixing JS code that inserts the video as
the task of enabling https becomes non-trivial and very content dependent.

So indeed an option to declare that despite proper certificates and
encryption the site should be treated as of insecure origin is needed. This
way the page will be shown as if it was served as before with plain http
with no changes in user experience.  But then it cannot be a https site
since many users still consider that https is enough to assume a secure
site. Hence the idea of encrypted http:// or something that makes user
experience with an encrypted page absolutely the same as she has with plain
http:// down to the browser stripping http:// from the URL.

After considering this I think it will be even fine for a future browser to
show a warning for such
properly-encrypted-but-explicitly-declared-as-insecure in the same way as a
warning will be shown for plain http. And it will be really nice if a site
operator, after activating such user-invisible encryption, can receive
reports from a browser about any violation of the secure origin policy in
the same way how violations of CSP are reported today. This would give nice
possibility of activating encryption without breaking anything, collecting
reports of violated secure origin policy, fixing content and finally
declaring the site explicitly https-only.
Received on Monday, 15 December 2014 09:17:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC