Thank you Word Press! WordPress has turned on HTTPS for all blogs, and my blog is hosted at WordPress. They deserve recognition for being proactive in the fight for privacy. But we need more from the browsers.
You will probably get a threatening warning. Oh no! This might not be the site you were looking for. But, with the HTTP, you are equally unsure about the site. It still might not be the site. Did you get a warning with HTTP? No you didn’t.
The reason you get this, is because I am too cheap to go buy a certificate for this site. My blog is available for free, and I don’t make any business from it, it is pretty hard for me to justify spending to get a certificate for this purpose. At the same time privacy experts are suggesting that all internet traffic should be HTTPS. The warning is unnecessary, especially given that on HTTP you don’t get a warning either. Since HTTPS without a certificate is not less secure that plain HTTP, there is no reason for the warning in this situation. Here is what those warnings look like today.
On Firefox, the warning looks like this:
This scary warning still has a “Get me out of here!” button. To get by this, you have to first open the heading that says “I Understand the Risks” and only at that point the button to add an exception is exposed. Click that, and Mozilla remembers it! In the future, visits to this site, you will not get the scary warning. Kudos to Mozilla as this is a significant advance in usability. At least you get the scary warning only once. After clicking through, the address link looks like this:
It looks mostly like a normal HTTP site, and the warning symbol is suitable. If you are accessing a branded site, you will not see the site icon, which is reasonable since you don’t have assurance that the site is genuine, how one might make the argument that you didn’t have that assurance with HTTP either, so why show it there? If it had been fully signed, it would look like this:
On Chrome is looks like this:
This is direct and to the point. This is better than Mozilla because the button to proceed is immediately available. After pressing this, like Mozilla, Chrome remembers the fact, and you are not bugged next time you come here. After clicking through, you get a display on the address bar like one of these:
I feel this is pretty suitable. You should not have any assurance that this is an authentic site, and it should look mostly like a regular HTTP site with some indication OK. Regular HTTP should be shown also with a red line through it, since you have no assurance in that case that the site is authentic. As I said earlier, it is inconsistent to make a big deal out of not certifying the site with HTTPS, when HTTP is equally uncertified. Here is what Chrome looks like for a fully signed site:
On Internet Explorer it looks like this:
The scary recommendation is to “close and do not continue.” As I have pointed out elsewhere, there is actually no greater chance that this is a rogue site than if you were using HTTP which has no certificate at all. Therefor this recommendation is unwarranted. with IE you will get this scary warning every time you visit the site. It does not remember that you clicked through and approved this once. What is perhaps even more concerning is the address bar:
This looks completely like a regular HTTP site, and that is good. When you access a fully trusted site, it looks very similar, only the color is green! It does show a lock icon an you can access more information about the certificate. The only problem is the warning page coming up every single time.
What should the behavior be?
Quite simple, there should not be any warning at all when using an uncertified connection. It should look and act essentially exactly the same as a regular HTTP link, although some visual indicator in the address bar is acceptable.
The lock symbol, or the special site specific display, should be displayed only when a correct, signed certificate is presented and the browser can then indicate that the site is authentic.
If the browser wants to go the extra mile in keeping people safe, it should remember whether a site used a certificate last time. If so, any link to the site using HTTP should be automatically converted to HTTPS if you click on it. Then, if the certificate for a site that you know should have a certificate fails to provide a correct one, then, and only then, display the scary warning. It should say:
This site normally has a signed certificate, but this time something is wrong with the certificate, and this might be an impostor site. Are you sure you want to proceed?
That is it … display the warning ONLY if you have reason to believe that the site intended to have a proper certificate in the first place.
Update, Sept 15 2014
Chrome has changed! For the worse! Here is the current screen being displayed by chrome:
This is actually false! Privacy is not at issue. Before the message said that the certificate didn’t match, which was factually correct. Now actually it suggests you don’t have any privacy, when in fact privacy is not endangered.
AND they have made the button to proceed hidden now. You have to click “advanced” to uncover the option to “proceed to …. (unsafe)”. Again, it is SAFER than normal browsing. The height of stupidity amazes.