Re: Proposal: Switch generic icon to negative feedback for non-https sites

[Apologies if you've seen this before, it looks like up to a week's worth o=
f=0A=
 mail from here has been lost, this is a resend of the backlog]=0A=
=0A=
Chris Palmer <palmer@google.com> writes:=0A=
=0A=
>Firefox 31 data:=0A=
>=0A=
>on desktop the median successful OCSP validation took 261ms, and the 95th=
=0A=
>percentile (looking at just the universe of successful ones) was over 1300=
ms.=0A=
>9% of all OCSP requests on desktop timed out completely and aren't counted=
 in=0A=
>those numbers.=0A=
=0A=
Do you have equivalent data for the TLS connect times?  In other words how=
=0A=
much was TLS being slowed down by including OCSP?=0A=
=0A=
Peter.=
0
Peter
8/12/2014 11:38:17 AM
mozilla.dev.security.policy 1337 articles. 2 followers. Post Follow

1 Replies
375 Views

Similar Articles

[PageSpeed] 31

Chris Palmer <palmer@google.com> writes:=0A=
=0A=
>FWIW, that's a misquote; I didn't write that.=0A=
=0A=
Ooops, sorry, it was posted by Patrick McManus <pmcmanus@mozilla.com> (I us=
ed=0A=
a script to try and resurrect the lost emails for re-send, I suspect someth=
ing=0A=
got mangled somewhere).=0A=
=0A=
So the question should have been addressed to Patrick (or anyone else who=
=0A=
wants to answer, enciphering minds want to know :-).=0A=
=0A=
Peter.=
0
Peter
8/14/2014 1:14:53 AM
Reply:

Similar Artilces:

Proposal: Switch generic icon to negative feedback for non-https sites
Howdy all, Yesterday, I created a bug proposing that Firefox switch the generic url icon to a negative feedback icon for non-https sites. https://bugzilla.mozilla.org/show_bug.cgi?id=1041087 I created this bug because it's time we start treating insecure connections as a Bug. There is so much open wifi available to the modern internet user that a significant portion Firefox users' requests can be sniffed. If that request is insecure, it makes session hijacking, MITM, and metadata attacks trivially easy. Not using https should now be bad practice and considered harmful. ...

Request: Re-open #1041087
I would like to request that Bug #1041087 be re-opened for discussion. https://bugzilla.mozilla.org/show_bug.cgi?id=3D1041087 Much has changed since this bug was closed: 1. CloudFlare started offering free SSL certificates[1]. 2. The EFF, Mozilla, IdenTrust, Akamai, and Cisco will start offering free = SSL certificates[2]. 3. Google is now ranking websites that use https higher[3]. 4. Chrome plans to start marking http as non-secure[4]. 5. Wireless carriers have begun modifying headers in transit[5]. All of these are a fantastic group effort to make the web more secure...

Why not DNS records Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure
There's a lot of lists on CC here - I've pruned them to bcc, and left the discussion for https://groups.google.com/a/chromium.org/forum/#!forum/security-dev . This is also no longer related to the proposal at hand - which was marking HTTP as not secure. Finally, apologies for the length. You asked for a detailed response, and here it is. I suppose at some point we need to write a FAQ on why DNS is often the problem, and not the solution. TL;DR: 1) DNS without DNSSEC is insecure in the face of a network attacker (which we presume we're dealing with) 2) Using plainte...

Why not DNS records Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure
There's a lot of lists on CC here - I've pruned them to bcc, and left the discussion for https://groups.google.com/a/chromium.org/forum/#!forum/security-dev . This is also no longer related to the proposal at hand - which was marking HTTP as not secure. Finally, apologies for the length. You asked for a detailed response, and here it is. I suppose at some point we need to write a FAQ on why DNS is often the problem, and not the solution. TL;DR: 1) DNS without DNSSEC is insecure in the face of a network attacker (which we presume we're dealing with) 2) Using plainte...

Public Key Pinning (was Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure)
Hi Ryan, Sorry about the extra chatter. >>> The control to stop most of the intercept related attacks - public key >>> pinning - was watered down by the committee members to the point that >>> the attacker effectively controls the pinset. (Here, I'm making no >>> differentiation between the "good" bad guys and the "bad" bad guys >>> because its nearly impossible to differentiate between them). > > To Jeffrey: can you please stop the ad hominem attacks The authors should not take it personally. I've ta...

Public Key Pinning (was Re: [blink-dev] Re: Proposal: Marking HTTP As Non-Secure)
Hi Ryan, Sorry about the extra chatter. >>> The control to stop most of the intercept related attacks - public key >>> pinning - was watered down by the committee members to the point that >>> the attacker effectively controls the pinset. (Here, I'm making no >>> differentiation between the "good" bad guys and the "bad" bad guys >>> because its nearly impossible to differentiate between them). > > To Jeffrey: can you please stop the ad hominem attacks The authors should not take it personally. I've ta...

security message("page contains secure and non secure items") coming on https: site
Hi we have developed a site and url of that site begins with https . Now everwhever page loads it gives a security message that " page contains secure and non secure items'. We donot want this message to come on our site. I read a few articles saying that my image should come from relative path or I should use css classes for images or there should not be any http url in my page. I have implemented these solutions also but still my page is giving this security message.   If any body could tell me how to avoid this message.   A lot of thanks in advance..  ...

returning from secure site to non secure site
Hi, I want to return from secure site to non secure site using Response.Redirect method but it stays in secure site dowsn't redirect to non https site. How can I fix this problem, and why it is a problem. Kind regards,Fatih UÇAR To redirect between a SSL site to a non SSL site, you have to specify the full qualified url (including the protocol) as the parameter for response.redirect. For example: Response.Redirect("http://.....") or Response.Redirect("https://.....") Thanks zhuhua for your answer yes I have specified fully qualified name that's why an alert box appears by i...

atlas Hover Menu secure/non-secure warning on HTTPS site on mouseover for popup
I'm getting "This page contains both secure and non secure items.  Do you want to display the non-secure" warning  when I mouseover the linkbutton that launches the popup menu.  It works fine on my http dev server but not, of course, on my production https box.  The interesting thing is the popup works fine  regardless of whether you click yes, no, or cancel and it only prompts once for that page - all the popup menus (I have multiple) work fine after that on the same page. I've built in a little preference toggle so my peeps can turn it off, but do you at...

superreview cancelled: [Bug 251123] HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering : [Attachment 201824] patch v2
Kai Engert <kaie.bugs@gmail.com> has cancelled Gavin Sharp <gavin.sharp@gmail.com>'s request for superreview: Bug 251123: HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering https://bugzilla.mozilla.org/show_bug.cgi?id=251123 Attachment 201824: patch v2 https://bugzilla.mozilla.org/attachment.cgi?id=201824&action=edit ------- Additional Comments from Kai Engert <kaie.bugs@gmail.com> I'm rejecing this patch for now, because we don't have a wording agreement yet. While the patch is fine for simple wording, we'd have to...

superreview requested: [Bug 251123] HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering : [Attachment 201824] patch v2
Gavin Sharp <gavin.sharp@gmail.com> has asked Daniel Veditz <dveditz@cruzio.com> for superreview: Bug 251123: HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering https://bugzilla.mozilla.org/show_bug.cgi?id=251123 Attachment 201824: patch v2 https://bugzilla.mozilla.org/attachment.cgi?id=201824&action=edit ------- Additional Comments from Gavin Sharp <gavin.sharp@gmail.com> I chose simply "Contains unsigned content" for now to fit in with the current "secure" tooltip. I think that if the wording needs revisiting ...

superreview cancelled: [Bug 251123] HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering : [Attachment 153847] Patch v1
neil@parkwaycc.co.uk <neil.parkwaycc.co.uk@myrealbox.com> has cancelled Chris Thomas <cst@andrew.cmu.edu>'s request for superreview: Bug 251123: HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering http://bugzilla.mozilla.org/show_bug.cgi?id=251123 Attachment 153847: Patch v1 http://bugzilla.mozilla.org/attachment.cgi?id=153847&action=edit ------- Additional Comments from neil@parkwaycc.co.uk <neil.parkwaycc.co.uk@myrealbox.com> Personally I think a better place to fix this would be in nsNSSCallbacks.cpp, because otherwise you&#...

superreview granted: [Bug 251123] HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering : [Attachment 202857] patch v3
Daniel Veditz <dveditz@cruzio.com> has granted Gavin Sharp <gavin.sharp@gmail.com>'s request for superreview: Bug 251123: HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering https://bugzilla.mozilla.org/show_bug.cgi?id=251123 Attachment 202857: patch v3 https://bugzilla.mozilla.org/attachment.cgi?id=202857&action=edit ------- Additional Comments from Daniel Veditz <dveditz@cruzio.com> sr=dveditz ...

superreview requested: [Bug 251123] HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering : [Attachment 153847] Patch v1
Chris Thomas <cst@andrew.cmu.edu> has asked neil@parkwaycc.co.uk <neil.parkwaycc.co.uk@myrealbox.com> for superreview: Bug 251123: HTTPS lock icon does not explain mixed secure/non-encrypted icon when hovering http://bugzilla.mozilla.org/show_bug.cgi?id=251123 Attachment 153847: Patch v1 http://bugzilla.mozilla.org/attachment.cgi?id=153847&action=edit ...

Web resources about - Re: Proposal: Switch generic icon to negative feedback for non-https sites - mozilla.dev.security.policy

Resources last updated: 12/22/2015 1:14:28 PM