1

Some months ago, I watched online a video recording of a talk/presentation aimed at an audience interested in information security.

The talk concerned UI/UX/usability, convenience, and security, and made a number of useful recommendations for people developing software in which those concerns need to be taken into account.

One of the points it made was that by default, browsers do not warn if the user attempts to access a webpage over HTTP, but do warn if the user attempts to access a webpage over HTTPS if there's a problem with the certificate. This produces the false perception in the user that the latter is a greater privacy/security risk than the former. I have not encountered that observation elsewhere.

I recently wanted to reference the talk, but was unable to, as I did not bookmark it and now cannot find it despite extensive web-searching.

My question is: if you have also seen this talk, please can tell me which talk this was, or at least suggest an alternative citable resource that discusses the browser warning issue mentioned above.

In case it helps:

  • I probably found the video on YouTube.
  • The talk might have been from DEF CON, Black Hat, CCC, or a smaller event: I forget where it was recorded.
  • I do not recall when the talk was given, but I think it was within the last decade.
  • The talk included at least one screenshot of a browser warning the user about an invalid HTTPS certificate.
  • I believe the speaker had a position in academia.
  • I thought at first it might have been a talk by Dan Kaminsky or Wesley McGrew, but have re-watched several of their (excellent) talks now without any luck, so it was probably by somebody else.
Steve Dodier-Lazaro
  • 6,798
  • 29
  • 45
sampablokuper
  • 1,961
  • 1
  • 19
  • 33
  • 2
    I don't know a video. But there's a Chromium proposal: [Marking HTTP As Non-Secure](https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure). And there's a good summary-blog by Eric Mill: [We're Deprecating HTTP And It's Going To Be Okay](https://konklone.com/post/were-deprecating-http-and-its-going-to-be-okay). – StackzOfZtuff Sep 11 '15 at 12:02
  • 1
    This is off topic here, as the question is about finding a video, **not** about infosec. That said, asking in chat is definitely allowed - although at weekends chat isn't that busy. – Rory Alsop Sep 12 '15 at 21:10
  • @RoryAlsop, the video is very much about infosec, and is potentially a useful reference for anyone in the field. As such, the question is on topic: it's asking for further information (a reliable source) on a specific (and indeed notable) subject within infosec. Please could you therefore re-open it? Thanks. – sampablokuper Sep 13 '15 at 04:08
  • This question being asked is: "what is the link?" That question is off-topic. The content of the link might be related to InfoSec, but this question is not. – schroeder Sep 13 '15 at 04:35
  • Please stop reverting mod's edits. You have 2 mods telling you that this question is off-topic. You are *not* asking about a historical development in infosec, you're asking for the reference details for a talk you cannot even specifically identify. Rory told you where it would be allowed (chat). – schroeder Sep 13 '15 at 05:36
  • @schroeder, thanks for your comment, but that's a misreading of the question. The question is: what was the talk (i.e. who, when, where). That's not asking for a link, it is **entirely** asking about a historical development in infosec: the public presentation of a *specific* rationale for a *specific* change in browser vendor security policy. While a link might make an answer more complete, it isn't actually required. I'm afraid I disagree with your & RoryAlsop's opinions on this. – sampablokuper Sep 13 '15 at 05:38
  • Disagreements are allowed, and you can bring those disagreement up in Meta. – schroeder Sep 13 '15 at 05:40
  • 1
    @schroeder. Meta: seriously? Life's too short. This is a legitimate question: no doubt at all. – sampablokuper Sep 13 '15 at 05:42

1 Answers1

1

I think you might be referring to the video of Moxie Marlinspike's presentation at DEFCON 17, where he talks about his 'sslstrip' tool:

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Or https://www.youtube.com/watch?v=MFol6IMbZ7Y (starting ~15:30). – mti2935 Sep 11 '15 at 19:19
  • Thanks for your answer (upvoted!), & your comment. I'd seen one of those two Moxie talks before. Sadly, I'm pretty sure neither of them is the talk I had in mind, as I recall the speaker making the point that it was nonsensical to warn users more strongly about HTTPS with invalid certs than about HTTP. However, the talks you've linked to do come very close , hence the upvote. Incidentally, of the two you linked, the one in your comment above was closest, as it includes clear screenshots of the warnings, so by all means delete your comment & add its content into your answer! Thanks again :) – sampablokuper Sep 11 '15 at 23:35