> Quite often, the reason the site operator tried to use HTTPS at all > was that they're doing something that really does need security, > something they would never dream of using HTTP for. So without the > browser knowing what a site is for, letting you use misconfigured/ > vulnerable HTTPS is, on average, much riskier than letting you use > HTTP.
FWIW, in the three years since I wrote this, the situation has changed hugely. Browser vendors have encouraged sites in general to adopt HTTPS (both by offering new abilities only to HTTPS sites, and by showing increasingly-scary UI for HTTP), and pages loaded over HTTPS worldwide have increased from 38% to 76%. <https://letsencrypt.org/stats/#percent- pageloads> So it’s no longer the case that most HTTPS sites are “something they would never dream of using HTTP for”. So, it might now be more justified to let people override HTTPS misconfiguration/vulnerability blockages than it was before. But maybe other factors have changed too, such as the frequency of misconfiguration or the frequency of attacks. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1485020 Title: firefox 40 shows a non-overrideable security error when talking to a captive portal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1485020/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
