- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Thu, 18 Dec 2014 10:29:27 -0500
- To: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <5492F2D7.7040105@fifthhorseman.net>
Hi Patrick-- Thanks for reading the proposal and giving feedback. On 12/17/2014 05:42 AM, Patrick Kolodziejczyk wrote: > I don't like the idea of saying HTTP is not secure, by default. I don't think any of the arguments you've presented are good reasons to continue displaying http without a non-secure indicator. > It's like hidding for read a new paper. Yes, if it's a problem to do it, it's better that we make it private stuff. But IF we think it's not a problem and shouldn't be, then we have to make sur it's stay "safe and public". All the information in the newspaper can be public, but you might still not want everyone to know which articles in the newspaper you are interested in reading. Among other things, HTTPS provides some confidentiality to *the act of reading*, but does not restrict web sites from publishing public data. > Plus, the fact that source of information start to adjust there discours in function of there reader. This is possible under cleartext HTTP too, as well. Not only that, but other parties can also adjust the information as a function of the reader: http://arstechnica.com/tech-policy/2014/09/why-comcasts-javascript-ad-injections-threaten-security-net-neutrality/ http://www.wired.com/2014/10/verizons-perma-cookie/ (these links were in the article you linked) > Making it private, make sur that no one will ever verify that. No one is verifying that they received the same data as others have received right now with cleartext HTTP or with HTTPS. But even if they were, marking HTTP as non-secure wouldn't prevent anyone from doing so. Regards, --dkg
Received on Thursday, 18 December 2014 15:29:59 UTC