> This could be solved in future by allowing them only for HTTPS sites :D
Ooh... this would be a good first step in gradually introducing marking all HTTP connections as insecure, similar to how Chrome is gradually deprecating SHA-1 certificates:
(1) Stop showing favicons for HTTP connections
(2) Start showing a cautionary icon (perhaps a yellow triangle containing an exclamation point) for HTTP sites and self-signed HTTPS sites
(3) Start showing a scarier looking warning for HTTP sites, but leave a cautionary warning for self-signed certs
(4) Start showing a cautionary icon for connections not using perfect forward secrecy
With Ed25519, Curve25519 and ChaCha20, the computational overhead for perfect forward secrecy has come down significantly.
Now if only we had a good standard for in-browser support of one or more password-authenticated key-agreement (PAKE)[1] algorithms for password input fields so that websites never held passwords. (This could be done via adding an extra attribute to the password input tag, so older browsers would submit the password, and newer browsers would perform PAKE verification.)
Ooh... this would be a good first step in gradually introducing marking all HTTP connections as insecure, similar to how Chrome is gradually deprecating SHA-1 certificates:
(1) Stop showing favicons for HTTP connections
(2) Start showing a cautionary icon (perhaps a yellow triangle containing an exclamation point) for HTTP sites and self-signed HTTPS sites
(3) Start showing a scarier looking warning for HTTP sites, but leave a cautionary warning for self-signed certs
(4) Start showing a cautionary icon for connections not using perfect forward secrecy
With Ed25519, Curve25519 and ChaCha20, the computational overhead for perfect forward secrecy has come down significantly.
Now if only we had a good standard for in-browser support of one or more password-authenticated key-agreement (PAKE)[1] algorithms for password input fields so that websites never held passwords. (This could be done via adding an extra attribute to the password input tag, so older browsers would submit the password, and newer browsers would perform PAKE verification.)
Hey, a guy can dream.
[1] https://en.wikipedia.org/wiki/Password-authenticated_key_agr...