Re: Proposal: Marking HTTP As Non-Secure

On 4 February 2016 at 15:28,  <0h3rr3r4@gmail.com> wrote:
> I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored?
>
> For instance, why a blacklist approach instead of a whitelist?
>
> Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank]  or [YYY Corp. | online retailer]
>
> Simple signs are  easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message.

This is demonstrability unhelpful.  UI/UX research has shown
consistently that people do not notice the absence of positive
indicators.

Some things to read:
- Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators
- The emperor’s new security indicators in Proceedings of the 2007
IEEE Symposium on Security and Privacy,.
- Use of Visual Security Cues in Web Browsers in Proceedings of the
2005 Conference on Graphics Interface

-- 
Eitan Adler

Received on Friday, 5 February 2016 02:27:06 UTC