Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure from Monica Chew on 2014-12-18 (public-webappsec@w3.org from December 2014)

From: Monica Chew <mmc@mozilla.com>
Date: Thu, 18 Dec 2014 13:41:37 -0800
To: Peter Kasting <pkasting@google.com>
Cc: Chris Palmer <palmer@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-ID: <CAGSmrUur=PuW=NWDyV5GaLs6JdwFXj--O2uW_R1C9SXEdJVmPQ@mail.gmail.com>

On Thu, Dec 18, 2014 at 1:34 PM, Peter Kasting <pkasting@google.com> wrote:
>
> On Thu, Dec 18, 2014 at 1:18 PM, Monica Chew <mmc@mozilla.com> wrote:
>>
>> I understand the desire here, but a passive indicator is not going to
>> change the status quo if it's shown 42% of the time (or 67% of the time, in
>> Firefox's case).
>>
>
> Which is presumably why the key question this thread asked is what metrics
> to use to decide it makes sense to start showing these warnings, and what
> the thresholds should be.
>

OK. I think the thresholds should be < 5%, preferably < 1%. What do you
think they should be?

Also I was wrong about collapsing fragment navigation, and that probably
explains the difference between FF and Chrome.

Thanks,
Monica

>

Received on Friday, 19 December 2014 13:52:16 UTC