----- Original Message ----- From: "Adam Langley" <[email protected]> To: "Watson Ladd" <[email protected]> Cc: "Trevor Perrin" <[email protected]>; <[email protected]>; "Stephen Farrell" <[email protected]> Sent: Tuesday, March 25, 2014 10:59 AM > On Sat, Mar 22, 2014 at 5:25 PM, Watson Ladd <[email protected]> wrote: > > Personally I have never understood why connecting to a site with a bad > > certificate shows me a warning, while visiting a site over HTTP does > > not. > > Because if you request a secure connection (https://) and we can't > provide it then there needs to be a very clear indication of that. If, > instead, the result was simply that it looked like an HTTP site then > everyone would "need" to check whether they actually got a secure > connection after requesting one and I don't think that people would.
Around me, the media are forever telling people to check for the padlock at the bottom of the screen; padlock present, secure connection, safe to go banking and shopping - padlock absent, do not pass go. I cannot recall when last I heard any such mentioning the difference between http: and https:. That is the reality for those here who know no better, and I imagine that that attitude is widespread. I also recall that, until not all that long ago, the PC at my local 'cybercafe' had SSL 2 as a valid option, TLS above 1.0 not. They were, of course, using the browser of a major vendor with its default settings. I do not know their policy with respect to Security Patches. Tom Petch > Cheers > > AGL > _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
