Am 22.09.2014 um 14:56 schrieb Henri Sivonen: > On Wed, Sep 17, 2014 at 6:20 PM, Richard Barnes <rbar...@mozilla.com> wrote: >> -- Use of ciphersuites with forward secrecy > Yes, but I think it makes sense to go further with ciphersuites. At > minimum, RC4 should not qualify, but given how easy it is to enable > AES-GCM if you can enable TLS 1.2 per the earlier point, why not > require an AEAD suite (i.e. AES-GCM or an upcoming ChaCha20 suite) and > set aside all perceived or actual CBC problems while at it? > I think 3DES should not qualify, too. It's just the less worse alternative of RC4 to support IE 8.
>> -- Content Security Policy (?) > This is a bit problematic, because CSP can be configured in so many > ways resulting in different levels of meaningful security. Do you mean > we should require just reward any effort to use CSP or that we should > require specific CSP features to be in use? The best would be, if you prevent XSS with unsafe-inline. But nearly every tool on the web uses inline scripts, so this would break compatibility. We could warn if a http resource is included in CSP. Admins should implement a server side mixed content blocker using CSP if they need to allow external resources (e.g. img-src https://*:443). > >> We could invent new UI for this (e.g., a green lock icon), or we could >> overlay these requirements on the EV criteria. AFAIK green lock is the only indicator for EV on Firefox OS / Android. This could be confusing. Blue is not used, isn't it? So there would be gray/black for normal, blue for high-security and green for high-security + EV (how about low-security EV?). Kind regards Jonas
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
