Re: Proposal: Marking HTTP As Non-Secure from Chris Palmer on 2016-01-28 (public-webappsec@w3.org from January 2016)

From: Chris Palmer <palmer@google.com>
Date: Thu, 28 Jan 2016 13:41:43 -0800
To: jirkadanek7@gmail.com
Cc: blink-dev <blink-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>, cliodice@mindspark.com
Message-ID: <CAOuvq23bf16UgO9s-mKdnT0uSPQ=xuEp+FPuS8_bPwEB4QkSPQ@mail.gmail.com>

On Thu, Jan 28, 2016 at 8:46 AM, <jirkadanek7@gmail.com> wrote:

On Monday, January 25, 2016 at 8:44:35 PM UTC+1, clio...@mindspark.com
>> wrote:
>
> Hi all, what is the status of this proposal? It calls out for a deployment
> plan in 2015, but that did not materialize. What is the latest? Thanks!
>
> Regarding Chromium:
>
> """On Tuesday, during a presentation at the Usenix Enigma security
> conference in San Francisco, Google pushed the proposal out in the open
> with much more fanfare, and gave a sneak peek of how it’s going to look.
> (You can see the little red “x” on the padlock in the URL bar.)"""
>
> --
> https://motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
>

That article is inaccurate. That screenshot is from a presentation by
Cloudflare, not Google, and does not constitute an announcement from
Google. It's just what you can get by turning on the Mark Non-Secure
Origins As Non-Secure flag in chrome://flags (which I added quite a while
ago).

We'll announce something when we're ready, though.

Received on Thursday, 28 January 2016 21:42:13 UTC