W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2015

Re: Proposal: Showing the padlock icon on all secure origins

From: timeless <timeless@gmail.com>
Date: Mon, 23 Nov 2015 08:21:50 -0500
Message-ID: <CAAKMeYhsFC2p-HUAn3Y6=WW8wXBOQ4fNunfOiyEDq1n2D6Udyw@mail.gmail.com>
To: Simon Brown <mail@simonandrewbrown.co.uk>
Cc: public-webappsec@w3.org
I'm not sure localhost should be seen as secure. Historically, people
downloaded untrusted content and then were tricked into loading it.

Also, in the really olden days, people shared computers so many different
users would have writeable storage on a single localhost. In a university
setting, a couple would be pranksters -- untrustworthy. Their files could
be accessed via localhost, but doing so could be manifestly bad for you and
your data.

If you want to provision a CA and add it to your list and then issue
yourself a certificate for an alternative name for your host (I.e. other
than localhost), then I don't see a problem with you doing that.
On Nov 22, 2015 3:22 PM, "Simon Brown" <mail@simonandrewbrown.co.uk> wrote:

> Currently most browsers only show the padlock icon on HTTPS sites, even
> though there are other secure origins, such as localhost. I propose that
> browsers start showing the padlock icon for other secure origins, providing
> there isn’t a security problem, such as an invalid certificate on a HTTP
> site or content from an insecure origin. This would:
>
> 1. Make it easier for users to ascertain whether an origin is secure.
> Currently secure localhost and insecure HTTP have the same indicators.
> 2. Increase the perceived normality of the padlock signal, making insecure
> origins stand out more.
> 3. Make it more obvious to developers when they are able to use features
> that are restricted to secure origins.
> https://www.chromium.org/Home/chromium-security/prefer-secure-origins-for-powerful-new-features
> 4. Make the transition to marking insecure origins as non-secure more
> straightforward.
> https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
>
Received on Monday, 23 November 2015 13:22:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:16 UTC