W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2016

Re: Proposal: Marking HTTP As Non-Secure

From: PhistucK <phistuck@gmail.com>
Date: Tue, 16 Aug 2016 14:44:01 +0300
Message-ID: <CABc02_+fo_HoFtRaS9m4fFtctBCT-0w-pgw-twLVyZU7KOTXOA@mail.gmail.com>
To: Jens Engelke <jens.engelke@gmail.com>
Cc: gimli.son.of.gloin@gmail.com, Security-dev <security-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, dev-security@lists.mozilla.org
The problem is that there may be (and I saw some already) websites that
sort of accidentally offer an HTTPS version (or offer it for the login
screen only) and thus the site is not usable in HTTPS (due to HTTP script
references and so on). The user will never know that it is a protocol issue.

If a website supports HTTPS, it should be responsible - automatically
redirect to HTTPS and serve HTTPS with HTTP Strict Transport Security
headers.


☆*PhistucK*

On Tue, Aug 16, 2016 at 11:56 AM, Jens Engelke <jens.engelke@gmail.com>
wrote:

> I can image that there are concerns from content providers that there
> visitors might be scared by a visual indication of "non-secure". Even if
> these content providers offer their content via http:// and https:// a
> careless user is taken to http:// if he just enters the hostname in the
> URL bar as many consumers do.
> If browsers could default to https for "scheme-less" entries in the URL
> bar (and fall back to http:// if there is no response), then visiting a
> non-secure page is an explicit choice of the end user. These users would
> more likely expect (and be used to) visual indicators for non-secure.
>
> <gimli.son.of.gloin@gmail.com> schrieb am Di., 16. Aug. 2016 um 10:30 Uhr:
>
>> As both a user and sysadmin I really encourage this initiative.
>>
>> One way to implement this that I think would make non-secure site more
>> obvious and would enhance security would be to add a red border to any site
>> or frame that isn't secure. Hovering the mouse over the border could
>> identify what makes the site/frame non-secure.
>>
>> An option to disable the borders per site could be added in the site
>> permissions so that known sites wouldn't show the border and could be used
>> for sites where the border affects functionality.
>>
>> This should be a fairly simple function to code and I think it would be a
>> lot more noticeable than just the address bar notifications. I think user
>> education would be fairly easy too.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Security-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-dev+unsubscribe@chromium.org.
>
Received on Tuesday, 16 August 2016 11:45:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC