W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Proposal: Marking HTTP As Non-Secure

From: Jim Manico <jim.manico@owasp.org>
Date: Fri, 29 Jan 2016 18:57:14 -0800
To: Chris Palmer <palmer@google.com>, richard@leapbeyond.com
Cc: Security-dev <security-dev@chromium.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Message-ID: <56AC268A.2080402@owasp.org>
Chris,

I'm a big fan of this rather progressive move from Google over the 
"Marking HTTP As Non-Secure".

1) Do you have any plans to make this feature enabled by default in 2016?
2) Do you have any plans to coordinate the change with other browsers; 
at least FireFox?

Thanks again.
- Jim

PS: Regarding "/There are no plans, at the moment, to add a No 
Skateboarding sign to Chrome/" what about the "no parking on bridge" sign?

On 1/29/16 3:02 PM, Chris Palmer wrote:
> On Fri, Jan 29, 2016 at 1:09 PM, <richard@leapbeyond.com 
> <mailto:richard@leapbeyond.com>> wrote:
>
>     You would be much better advised to create proactive mechanisms
>     for detecting suspicious activity (man-in-the-middle attacks) and
>     alerting when there really is a bonafide threat
>
>
> That is exactly what HTTPS is.
>
>     , as opposed to creating signal pollution in your UX.
>
>
>     I leave you with this:
>     http://image.shutterstock.com/z/stock-photo-street-intersection-congested-with-street-signs-57695734.jpg
>
>
> Currently, Chrome (and most other browsers) show only the equivalent 
> of the traffic light. We propose to wire up the red lamp. (Recently, 
> we unhooked the yellow lamp, precisely because a proliferation of 
> signals confuses and annoys people: 
> https://googleonlinesecurity.blogspot.com/2015/10/simplifying-page-security-icon-in-chrome.html)
>
> There are no plans, at the moment, to add a No Skateboarding sign to 
> Chrome.
Received on Saturday, 30 January 2016 02:57:48 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC