Re: Draft finding - "Transitioning the Web to HTTPS"

On 19 janv. 2015, at 13:27, Anne van Kesteren <> wrote:
>> It is precisely this: recommendations have been expressed in such a way as it could be understood as "we should all rush to everything secure"… but there's no reason for such a rush and the smooth path to something more secure needs a decent support for self-signed-certs, I claim.
> Again, if we train users that self-signed certificates are okay, the
> next time they visit their bank online (and remember, the network
> cannot be trusted) they will lose. Not acceptable.

You got it right: we need to teach users to differentiate.

And that could be done by UIs.
Users' banks, and most financial statements sites, are probably identified by an EV cert… that's quite a difference to a startSSL cert in terms of UIs nowadays.
That difference would be enough already to my taste.


Received on Monday, 19 January 2015 12:36:12 UTC