Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a 
login form, or use shiny new features.

We aren't where we'd ideally be, everybody is agreed about that. That's not the 
same thing as agreeing our direction of travel is wrong.

I am far from home reduced to using mobile devices, or I'd do it myself but I 
recommend someone try to measure the proximate cause of these certificates. 
Unlike with earlier "free" certs the advent of ACME means hosts are throwing in 
certs with hosting, I suspect that some sizeable fraction of the 14k were 
issued on this basis. If so phishers may not even be using the HTTPS feature, 
any more than they'd have used free vouchers for discounted T-shirts if the 
host included those. So 14k becomes a measure not of criminal interest in TLS 
certificates but of the success of full automation in bulk hosting combined 
with the high turnover of phishing sites.
dev-security-policy mailing list

Reply via email to