Re: Draft finding - "Transitioning the Web to HTTPS"

Hi Henry,

> On 19 Jan 2015, at 8:56 pm, Henry S. Thompson <> wrote:
> Mark Nottingham writes:
>> To the latter point -- I still find it remarkable that this is
>> extremely common practice:
>> ... and the OS/browser UX doesn't warn the user of the power granted
>> by doing so (last I checked).
> I'll bite -- what _should_ the UX say?  That is, what _is_ the risk
> (and what is the alternative that MIT should be using)?

That’s a good question. I’m not a UX person, and don’t pretend to be one. My issue is that the user isn’t warned at all, and the default — power to MITM — is surprising, unless you understand how PKI works.

In a perfect world, browser trust stores would only allow CAs to be installed if they have name constraints (perhaps respecting the public suffix list). Since that horse has already bolted, it’s more difficult.

> The alternative an entity not a million miles away from my desk
> uses is to just self-sign and expect us to click through the resulting
> warnings. . .


Mark Nottingham

Received on Monday, 19 January 2015 10:12:59 UTC