- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Sun, 27 May 2007 20:38:54 -0400
- To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
- CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
So how does one deal with this? It seems that FF and Opera are already doing all that can be done (some would argue that IE is as well--if they show it once and users choose to disable it, the browser has done all that it can, aside from acting against the user's wishes). There's not much more that can be done. You can't put something into chrome that examines all insecure forms, as I would wager a decent deal of money that the majority of secure websites have forms to insecure pages (e.g. search boxes). And you can't really rewrite the content to highlight the insecure forms, as the website can also alter the content. Notwithstanding the fact that users can't tell the difference between chrome and content. So what more can really be done besides a popup? serge Yngve N. Pettersen (Developer Opera Software ASA) wrote: > > On Tue, 15 May 2007 22:29:30 +0200, Yngve N. Pettersen (Developer Opera > Software ASA) <yngve@opera.com> wrote: > >> >> Hello all, >> >> I have just put my proposals about "what a secure page is" on the Wiki >> >> http://www.w3.org/2006/WSC/wiki/WhatIsASecurePage >> >> Some may disagree with several of the suggestions, or have doubts >> about them ever being adopted. > > > And yet more bad examples. > > - Go to the Hilton homepage http://www.hilton.com/ > - Click on reservations in the top toolbar > - You are taken to a secure page > - Over on the right hand side there is a "find a hotel" section > - Fill in city, state, dates etc. > - Click the "search" button > - Your query will now be POSTed to an unsecure server. > > > Browser actions: > > - Opera and FF 1.5 warns about this, the warnings cannot be disabled. > - IE6 only seem to warn when unsecure form submit warning is enabled or > the http->https or vice versa dialog is enabled. (these dialogs are > quite likely to be disabled by the user after the first couple of times > they have seen it) > > My problem with this form is not that the query is sensitive, it isn't > really that sensitive (although I prefer such queries to be secure > anyway), but that it changes from secure to unsecure during form submit > without any prior indication to the user. > > > --Sincerely, > Yngve N. Pettersen > > ******************************************************************** > Senior Developer Email: yngve@opera.com > Opera Software ASA http://www.opera.com/ > Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 > ******************************************************************** > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 28 May 2007 00:40:06 UTC