W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 18 Dec 2014 17:10:55 -0500
Message-ID: <549350EF.4030900@fifthhorseman.net>
To: Gervase Markham <gerv@mozilla.org>, Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, mozilla-dev-security@lists.mozilla.org
On 12/18/2014 12:14 PM, Gervase Markham wrote:
> I wonder whether we could make a start by marking non-secure origins in
> a neutral way, as a step forward from not marking them at all. Straw-man
> proposal for Firefox: replace the current greyed-out globe which appears
> where the lock otherwise is with a black eye icon. When clicked, instead
> of saying:
> "This website does not supply identity information.
> Your connection to this website is not encrypted."
> it has a larger eye icon, and says something like:
> "This web page was transferred over a non-secure connection, which means
> that the information could have been (was probably?!) intercepted and
> read by a third party while in transit."

I like this change.

Four proposed fine-tunings:

 A) i don't think we should remove "This website does not supply
identity information" -- but maybe replace it with "The identity of this
site is unconfirmed" or "The true identity of this site is unknown"

 B) snooping isn't the only issue -- modification is as well.  Maybe the
updated statement can mention that the web page could have been modified
in transit as well.

 C) if there was a way to ensure that the user knows we're talking about
the data they sent as well as the data they're looking at that would be
good too.

 D) "a third party" is both legalistic and singular.  there could be
multiple parties tapping the line.  what about just "others"?

Here's my attempt at resolving these, fwiw:

The true identity of this site is unknown.

This web page was transferred over a non-secure connection, which means
that the page and any information you sent to it could have been read or
modified by others while in transit.


Received on Thursday, 18 December 2014 22:11:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC