Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure from Peter Kasting on 2014-12-18 (public-webappsec@w3.org from December 2014)

From: Peter Kasting <pkasting@google.com>
Date: Thu, 18 Dec 2014 12:20:09 -0800
To: Monica Chew <mmc@mozilla.com>
Cc: Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-ID: <CAAHOzFC+RL9LdjnFgLsuFne5NbL_h_vhX3ORvT0SdVqQwPb=TA@mail.gmail.com>

On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <mmc@mozilla.com> wrote:
>
> Security warnings are often overused and therefore ignored [1]; it's even
> worse to provide a warning for something that's not actionable. I think
> we'd have to see very low plaintext rates (< 1%) in order not to habituate
> users into ignoring a plaintext warning indicator.
>

The context of the paper you cite is for a far more intrusive type of
warning than anyone has proposed here.  Interstitials or popups are very
aggressive methods of warning that should only be used when something is
almost certainly wrong, or else they indeed risk the "crying wolf" effect.
Some sort of small passive indicator is a very different thing.

PK

Received on Thursday, 18 December 2014 20:20:38 UTC