W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: <michaelhorowitz@gmail.com>
Date: Wed, 17 Dec 2014 17:15:04 -0800 (PST)
To: security-dev@chromium.org
Cc: public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
Message-Id: <dac0f552-1cf9-46a5-89f8-5d2b5d8cd80b@chromium.org>
User Interface suggestions: 

I think coloring the address bar background is the way to go. 

Small icons are too easily missed, and even if every browser agreed to use the same icon, (unlikely) they would likely be placed differently. Also, error messages are likely to be ignored by non-techies who will not understand them. 

As for suggested colors, red, yellow and green have a universal meaning. 
With that in mind, I suggest starting with 

HTTP - yellow background
HTTPS lite green background
HTTPS with EV certificate darker green background 

Then, phase two might be:  

HTTP: red background 
HTTPS with mixed mode: yellow background
HTTPS: still light green 
HTTPS with EV cert: still dark green 

To further emphasize the red and/or yellow, the entire browser window might be framed in that color, along the lines of what Sandboxie does. 

I would also add an explanation of the colors right in the address bar. The word "color" with a white "i" in a blue circle should be obvious as the explanation. Clicking it (or perhaps just hovering on mouse based OSs) should popup a description of what the colors mean.  
Received on Thursday, 18 December 2014 14:20:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC