W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: Marking HTTP As Non-Secure

From: Chris Palmer <palmer@google.com>
Date: Thu, 5 Nov 2015 12:05:07 -0800
Message-ID: <CAOuvq21Ey_-w=p=jNTscHYAkboNYXCEWBiEyi4_TgH-Yck1cYg@mail.gmail.com>
To: Raúl Martínez <rme@rme.li>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Thu, Nov 5, 2015 at 7:35 AM, Raúl Martínez <rme@rme.li> wrote:

> Latest Forefox nightly build (44) marks HTTP as non secure if the page
> contains a password input.
>
> Today I read again the proposal (
> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure)
> and I realise that year 2015 is about to end and currently no browsers are
> even marking http as dubious.
>
> What are the plans un Chrome and Firefox for this proposal? What is the
> planned roadmap?
>
You can go to chrome://flags/ and turn on the "Mark non-secure origins as
non-secure" experiment to see what the world will look like. (That's been
in there for ~6 months now.)

We do still want to try to mark non-secure origins as such soon (early next
year), but 1 thing we have found is that, although the big sites are HTTPS
and people spend tons of time on them, there is a huge long tail of
non-secure sites. Over the Summer and Autumn we measured HTTPS adoption,
and it hasn't gone up much — so we've been spending effort trying to make
it easier for site operators to migrate. Toward that end, my colleagues
lgarron and estark developed the Security panel in Chrome Dev Tools (you
can see it in Beta now), and we have simplified the Omnibox security
indicators to try to smooth the path somewhat (and make the UX less
complex):
https://googleonlinesecurity.blogspot.com/2015/10/simplifying-page-security-icon-in-chrome.html
.

We've also done a bit of consulting work with large site operators to find
their pain points and help them with technical concerns. The mixed passive
content warning was one (because it made HTTPS look worse than HTTP), and
another is publishers relying on non-secure ads origins. Google is serving
ads by HTTPS, and the industry is generally moving there (
http://www.iab.com/news/lean/).

So, hopefully sooner rather than later, the pain points will diminish and
more and more publishers will move to HTTPS. Happily, Wikipedia got there,
for example. (Woo hoo!)

We are concerned that if people suddenly start seeing the Bad indicator for
lots of the web/for lots of the time they spend on the web, they could get
warning fatigue. Also, site operators could get upset.

But, we do intend to argue that Chrome should show non-secure origins as
non-secure, regardless of HTTPS adoption. We are also redesigning our
security iconography to make the Neutral state more honest about the
reality.
Received on Thursday, 5 November 2015 20:05:36 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC