- From: Patrick Kolodziejczyk <patrick.kolodziejczyk@viseo.com>
- Date: Fri, 19 Dec 2014 15:36:47 +0000
- To: Monica Chew <mmc@mozilla.com>
- CC: "\"public-webappsec@w3.org\"" <public-webappsec@w3.org>
Received on Friday, 19 December 2014 15:37:17 UTC
> Why not shift the onus from the user to the site operators? I would love to see a "wall of shame" for the Alexa top 1M sites that don't support HTTPS, redirect HTTPS to HTTP, and don't support HSTS. Perhaps search providers could use those to penalize rankings, as Google already does for non HTTPS sites. Efforts to make it cheap and easy to deploy HTTPS also need to advance. In a prefect world Yes. But don't ! I work in a place where HTTPS traffic not allowed (certificate auto-signed by the proxy) (So, they can see what we access)) And we can't access site with HSTS (cause UA refuse to). That is more painful that "just" have a security issue. So times, I have to use outdated UA because of that. That bring even more problem on the table. This initiative is good, if about inform the user. But if the goal is to make every site only using HSTS. Some of us will be left behind, cause they can't change the network policy of they society. (We are not in a perfect work) It's really about helping people making the better decision in their situation, not the best "just" the better possible. Patrick Kolodziejczyk Ingénieur Conception et Développement BU technologies - Groupe Viseo 190, rue Garibaldi - 69003 LYON Tél. +33 (0)4 72 33 78 30 http://www.viseo.com<http://objetdirect.com/>
Received on Friday, 19 December 2014 15:37:17 UTC