W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: Proposal: Showing the padlock icon on all secure origins

From: Jim Manico <jim.manico@owasp.org>
Date: Sun, 22 Nov 2015 14:43:33 -0600
To: Simon Brown <mail@simonandrewbrown.co.uk>, public-webappsec@w3.org
Message-ID: <565228F5.3030902@owasp.org>
 > ...even though there are other secure origins, such as localhost

This might be a bit tangential, but I see secure minded browsers moving 
to block access to localhost for a variety of reasons...


- Jim

On 11/21/15 8:31 AM, Simon Brown wrote:
> Currently most browsers only show the padlock icon on HTTPS sites, 
> even though there are other secure origins, such as localhost. I 
> propose that browsers start showing the padlock icon for other secure 
> origins, providing there isn’t a security problem, such as an invalid 
> certificate on a HTTP site or content from an insecure origin. This 
> would:
> 1. Make it easier for users to ascertain whether an origin is secure. 
> Currently secure localhost and insecure HTTP have the same indicators.
> 2. Increase the perceived normality of the padlock signal, making 
> insecure origins stand out more.
> 3. Make it more obvious to developers when they are able to use 
> features that are restricted to secure origins. 
> https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
> 4. Make the transition to marking insecure origins as non-secure more 
> straightforward. 
> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

Jim Manico
Global Board Member
OWASP Foundation
Received on Sunday, 22 November 2015 20:44:04 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC