User: Password:
Subscribe / Log in / New account

HTTPS Everywhere brings HTTPS almost everywhere

HTTPS Everywhere brings HTTPS almost everywhere

Posted Jul 3, 2010 11:13 UTC (Sat) by Kwi (subscriber, #59584)
In reply to: HTTPS Everywhere brings HTTPS almost everywhere by paulj
Parent article: HTTPS Everywhere brings HTTPS almost everywhere

But you'll be happy when the browser tells you the page is secure, because it only contains https content?

The browser can't give any guarantees about security! It can only guarantee that you're seeing the real website, secure or not.

Once identity has been established, it's completely irrelevant to the user whether all the HTTP requests are secure or not. In either case, the security level is entirely determined by the website, and the user doesn't get a say in the matter. (Okay, client-side vulnerabilities can lower the security, but that's another discussion.)

The warning maintains an illusion that the user has any way to diagnose an insecure website. Sure, the browser warns about this one particular case of reduced security, but has no way of warning about the millions of other potential security problems.

I'm not saying https is useless, far from it. To the website, it's a critical part of the overall security. But to the user, its only role is to verify the identity of the website, which the user may then choose to trust. Nothing else.

(Log in to post comments)

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds