HTTPS Everywhere brings HTTPS almost everywhere
Posted Jul 3, 2010 11:13 UTC (Sat) by Kwi
In reply to: HTTPS Everywhere brings HTTPS almost everywhere
Parent article: HTTPS Everywhere brings HTTPS almost everywhere
But you'll be happy when the browser tells you the page is secure, because it only contains https content?
The browser can't give any guarantees about security! It can only guarantee that you're seeing the real bankofcalisota.com website, secure or not.
Once identity has been established, it's completely irrelevant to the user whether all the HTTP requests are secure or not. In either case, the security level is entirely determined by the website, and the user doesn't get a say in the matter. (Okay, client-side vulnerabilities can lower the security, but that's another discussion.)
The warning maintains an illusion that the user has any way to diagnose an insecure website. Sure, the browser warns about this one particular case of reduced security, but has no way of warning about the millions of other potential security problems.
I'm not saying https is useless, far from it. To the website, it's a critical part of the overall security. But to the user, its only role is to verify the identity of the website, which the user may then choose to trust. Nothing else.
to post comments)