W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 18 Dec 2014 17:22:11 -0500
Message-ID: <CAH8yC8mYKqnf9fbf4v-GkeEWgDeThyY0-oTqser+hxKS3nM5YA@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, mozilla-dev-security@lists.mozilla.org
On Thu, Dec 18, 2014 at 5:10 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net> wrote:
> ...
> Four proposed fine-tunings:
>  A) i don't think we should remove "This website does not supply
> identity information" -- but maybe replace it with "The identity of this
> site is unconfirmed" or "The true identity of this site is unknown"
None of them are correct when an interception proxy is involved. All
of them lead to a false sense of security.

Given the degree to which standard bodies accommodate (promote?)
interception, UA's should probably steer clear of making any
statements like that if accuracy is a goal.
Received on Thursday, 18 December 2014 22:22:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC