On Mon, Jul 21, 2014 at 4:10 PM, Adrienne Porter Felt <f...@chromium.org> wrote: > I would very much like to make http sites look insecure. > > But we face a very real problem: a large fraction of the web is still > http-only. That means that: > > - Users will get used to the insecure icon, and it will start looking > meaningless pretty quickly. > - This might also make users ignore the broken https icon. > > I'm not sure how to reconcile this.
I think they key to reconciling this is to recognize that the primary audience for the address bar UI elements for this are website *makers*, not website visitors, regardless of what we'd like. That is, if the indicators in the address bar are already so confusing or useless for end-users that they generally ignore them or take them to have the opposite meaning from what's intended, and yet users are still using our products, then that means that we don't have to worry so much about the possibility of adding end-user confusion by making such a change. Yet, it is in the economic interests of every website to avoid being branded "not secure"; it is likely that the marginal utility of avoiding that is significant enough that it will be the tipping point for many websites to make the switch. To see if this is a workable strategy, we should learn whether or not end-user apathy and confusion is so high that we can turn it from a negative into a positive this way. Further, like I said in my previous message, we should be able to do a lot more to ensure that the browser navigates to https:// instead of http:// when https:// is available. This would likely significantly reduce the number of websites for which the negative branding would be shown. Having said all of that, I remember that Mozilla did some user research ~3 years ago that showed that when we show a negative security indicator like the broken lock icon, a significant percentage of users interpreted the problem to lie in the browser, not in the website--i.e. the security problem is Firefox's fault, not their favorite website. It would be important to do research to confirm or (hopefully) refute this finding. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
