On Thursday, April 30, 2015 at 6:02:44 PM UTC-7, peter.e...@gmail.com wrote: > On Thursday, April 30, 2015 at 5:57:13 PM UTC-7, dia...@gmail.com wrote: > > > 1. Mid-2015: Start treating self signed certificates as unencrypted > > connections (i.e. stop showing a warning, but the UI would just show the > > globe icon, not the lock icon). This would allow website owners to choose > > to block passive surveillance without causing any cost to them or any > > problems for their users. > > In Mid-2015 we will be launching Let's Encrypt to issue free certificates > using automated protocols, so we shouldn't need to do this.
The thing that may actually be implemented, which is similar to what you want, is the HTTP opportunistic encryption feature of HTTP/2.0. That's strictly better than unencrypted HTTP (since it is safe against passive attacks) and strictly worse than authenticated HTTPS (because it fails instantly against active attacks). So if clients implement it, it has a natural ordinal position in the UI and feature-access hierarchy. If the Let's Encrypt launch goes as planned, it would probably be a mistake to encourage sites to use unauthenticated opportunistic HTTP encryption. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
