W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure

From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 18 Dec 2014 15:43:18 -0500
Message-ID: <CAH8yC8=-NVDrSk35bJDqm4mY6E_8XG+6TsT-i-WwgM+0Tm-++A@mail.gmail.com>
To: Peter Kasting <pkasting@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Dec 18, 2014 at 3:20 PM, Peter Kasting <pkasting@google.com> wrote:
> On Thu, Dec 18, 2014 at 12:12 PM, Monica Chew <mmc@mozilla.com> wrote:
>> Security warnings are often overused and therefore ignored [1]; it's even
>> worse to provide a warning for something that's not actionable. I think we'd
>> have to see very low plaintext rates (< 1%) in order not to habituate users
>> into ignoring a plaintext warning indicator.
> The context of the paper you cite is for a far more intrusive type of
> warning than anyone has proposed here.  Interstitials or popups are very
> aggressive methods of warning that should only be used when something is
> almost certainly wrong, or else they indeed risk the "crying wolf" effect.
> Some sort of small passive indicator is a very different thing.
According to Gutmann, they are equally ignored by users. In the first
case, the user will click through the intrusive popup. In the second
case, they won't know what the icon means or they will ignore it.
Refer to Chapter 2 and Chapter 3 of his book.

In both cases, the browser should do the right thing for the user. In
a security context, that 's "defend, don't ask". Refer to Chapter 2 of
Gutmann's book.
Received on Thursday, 18 December 2014 20:43:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC