On 09/24/2010 01:29 PM, Martin Rex wrote:
> Peter Saint-Andre wrote:
>
>> For context, the "quoted advice" is mostly a description of current
>> usage in some existing user agents. Incorporating Barry's suggestions,
>> that text currently reads as follows in our working copy:
>>
>> Security Note: Some existing interactive user agents give advanced
>> users the option of proceeding despite an identity mismatch.
>> Although this behavior can be appropriate in certain specialized
>> circumstances, in general it ought to be exposed only to advanced
>> users and even then needs to be handled with extreme caution, for
>> example by first encouraging even an advanced user to terminate
>> the connection and, if the advanced user chooses to proceed
>> ....
>
> This whole paragraph is evil and completely wrong.
PeterSA and I disagree, and echo rrelyea's sentiments.
For some background context, see..
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
Collin Jackson and Adam Barth
In Proceedings of the 17th International World Wide Web Conference (WWW2008)
https://crypto.stanford.edu/forcehttps/forcehttps.pdf
See also..
HTTP Strict Transport Security (HSTS)
http://tools.ietf.org/html/draft-hodges-strict-transport-sec
Firefox 4.0 beta 5
<http://blog.mozilla.com/blog/2010/09/07/firefox-4-beta-with-faster-graphics-and-new-audio-capabilities-for-the-web/>
"HTTP Strict Transport Security (HSTS) is a new security protocol in Firefox 4
Beta..."
=JeffH
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
