W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Paul Libbrecht <paul@hoplahup.net>
Date: Mon, 19 Jan 2015 13:51:52 +0100
Cc: "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-Id: <380D3E29-BD41-4DE1-B86A-6F9FAB0E720C@hoplahup.net>
To: Anne van Kesteren <annevk@annevk.nl>
>> You got it right: we need to teach users to differentiate.
>> 
>> And that could be done by UIs.
>> Users' banks, and most financial statements sites, are probably identified
>> by an EV certů that's quite a difference to a startSSL cert in terms of UIs
>> nowadays.
>> That difference would be enough already to my taste.
> 
> No way. That is way too subtle a distinction. Users are not going to
> remember what type of certificate a site used and based on that decide
> to not work with it next time around (if it changed).

The big green spot is not enough a differentiation?
E.g. as in here?      http://direct.hoplahup.net/tmp/paypal-ev-cert-display-safari.png
I really disagree, it is not hard to differentiate.
How could I differentiate a cert booked at startssl.com for whatwg.org and wahtwg.org ? It'd be quite easy for me to register the second and request a cert at startssl.com. And it'd be barely more trustable than a self-signed-cert.

> Not to mention that this would still leak all your credentials given that those are
> scoped by origin.

Please stop saying we are steadily under attack. We are not.
And in many many many cases in common use on the web, we do not care if we would be.

Paul
Received on Monday, 19 January 2015 12:52:33 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC