Doesn't Chrome's behaviour already "penalise" plaintext HTTP? You can't build a login form, or use shiny new features.
We aren't where we'd ideally be, everybody is agreed about that. That's not the same thing as agreeing our direction of travel is wrong. I am far from home reduced to using mobile devices, or I'd do it myself but I recommend someone try to measure the proximate cause of these certificates. Unlike with earlier "free" certs the advent of ACME means hosts are throwing in certs with hosting, I suspect that some sizeable fraction of the 14k were issued on this basis. If so phishers may not even be using the HTTPS feature, any more than they'd have used free vouchers for discounted T-shirts if the host included those. So 14k becomes a measure not of criminal interest in TLS certificates but of the success of full automation in bulk hosting combined with the high turnover of phishing sites. _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy