W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2016

Re: Proposal: Marking HTTP As Non-Secure

From: Eitan Adler <lists@eitanadler.com>
Date: Thu, 4 Feb 2016 18:26:06 -0800
Message-ID: <CAF6rxgmhXTSpvpDCqyKWQ=vehTPqab4LJthm2=BtQH+Fa_EVwg@mail.gmail.com>
To: 0h3rr3r4@gmail.com
Cc: Security-dev <security-dev@chromium.org>, public-webappsec@w3.org, blink-dev@chromium.org, dev-security@lists.mozilla.org
On 4 February 2016 at 15:28,  <0h3rr3r4@gmail.com> wrote:
> I've followed most of this discussion with great interest. It is a good initiative, but have other alternatives been explored?
>
> For instance, why a blacklist approach instead of a whitelist?
>
> Why not a signal that certifies the name and activity of the company being reached? For example: [XXX Company | Bank]  or [YYY Corp. | online retailer]
>
> Simple signs are  easy to understand by users, that is what I like of this initiative. However, you still need to enforce the message.

This is demonstrability unhelpful.  UI/UX research has shown
consistently that people do not notice the absence of positive
indicators.

Some things to read:
- Trust Me: Design Patterns for Constructing Trustworthy Trust Indicators
- The emperor’s new security indicators in Proceedings of the 2007
IEEE Symposium on Security and Privacy,.
- Use of Visual Security Cues in Web Browsers in Proceedings of the
2005 Conference on Graphics Interface

-- 
Eitan Adler
Received on Friday, 5 February 2016 02:27:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC