On Fri, Apr 25, 2014 at 3:10 AM, ianG <[email protected]> wrote: > Worse, consider Firefox's behaviour: it considers a certificate-secured > site such as a self-cert'd site to be dangerous, but it does not > consider a HTTP site to be dangerous. So it tells the user HTTP is > safe, whereas an attempt to secure means that the user is being robbed!
I actually brought this up with one of Chrome UX engineers, specifically how to Joe User the address bar makes it appear that plaintext HTTP is more secure than HTTPS with an untrusted cert. While one is MitM-able by an active attacker, the other is most certainly being passively MitMed by someone! :O The response was that users have an expectation of security when using HTTPS that they don't with HTTP, but I wonder, how many people just think they're safe because of the absence of scary warning signs and have no idea what HTTP vs HTTPS actually means? I think plaintext HTTP should show an lock with a big "no sign" over it or something to highlight to users that the connection is insecure. -- Tony Arcieri
_______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
