<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 2014-08-18 11:27, Nick Semenkovich
wrote:<br>
</div>
<blockquote
cite="mid:CAJKgmrXiZYo4g5aPuWUtectyApnP6HeEWGjiBGnv+JSHo0YEZw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Aug 18, 2014 at 1:24 PM, Dave
Warren <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:davew@hireahit.com" target="_blank">davew@hireahit.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Like with so many things in security, there is an obvious
security vs usability tradeoff here, is it better to
return an insecure version of a page, or an error message
and an unusable site?<br>
<br>
Obviously if this is a permanent situation, the rule
should be disabled and removed, but in the case of a
temporary error on the HTTPS side, I'd be very nervous
about automatically removing a layer of security.</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>Oh definitely -- I was thinking @jsha's proposal was on
the development / codebase side, not client extension
side. Though maybe things change so rarely it makes sense
to manually validate all disabled rules.<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I think the same concern applies, ultimately rules will fail, what
action should be taken when a rule fails?<br>
<br>
Ideally site operators start submitting their own rules, in which
case you can notify the maintainer and they will either fix the site
or the rule and the issue is resolved. But if the maintainer fails
to react? Or if the maintainer is with EFF or a volunteer, they
confirm that the site isn't responding to HTTPS or is just returning
errors but there's no response from the site itself, what action is
taken?<br>
<br>
<pre class="moz-signature" cols="72">--
Dave Warren
<a class="moz-txt-link-freetext" href="http://www.hireahit.com/">http://www.hireahit.com/</a>
<a class="moz-txt-link-freetext" href="http://ca.linkedin.com/in/davejwarren">http://ca.linkedin.com/in/davejwarren</a>
</pre>
</body>
</html>