On 17/09/14 16:20, Richard Barnes wrote:
> There are a bunch of security features right now that I think we all
> agree improve security over and above just using HTTPS:
> -- HTTP Strict Transport Security
Check.
> -- HTTP Public Key Pinning
Others have made the point, which I agree with, that HPKP requires an
on-the-ball ops team to deploy right. If we make this part of the bar,
only a few sites will have the marker. Maybe that's what we want, maybe
not. But when the first site goes out of business because they literally
made their website inaccessible to every single existing customer,
because they were pursuing this icon and mis-deployed HPKP, then it will
not do much for the reputation of this program.
The incentive to deploy HPKP in particular should come from site owners
themselves. If other people push them into it, bad things could happen.
> -- TLS 1.2+
Are there any client-compat issues currently blocking sites from rolling
out TLS 1.2+?
> -- Certificate Transparency
I should make clear here that Mozilla currently has not committed to
support CT, although we are watching with interest. But Richard is only
sketching ideas, so that's fine ;-)
> -- Use of ciphersuites with forward secrecy
Check.
> -- No mixed content
Well yes, but you get a degraded UI experience at the moment if you have
mixed content.
> -- Content Security Policy (?)
As others have said, not sure how you could check for this actually
being used in a security-enhancing way.
> -- Sub-resource integrity (?)
What do you mean by that, exactly?
> It would be good if we could create incentives for sites to turn on
> these features. EFF has already seen some sites trying to turn
> things green on their "Encrypt the Web Report" [1]. Should we
> consider creating a suite of features that comprise a "high-security"
> web site, and create some UI to express that to the user?
I am tentatively optimistic about exploring this idea...
> We could invent new UI for this (e.g., a green lock icon), or we
> could overlay these requirements on the EV criteria.
....but I think we should not mess with EV, which has a defined meaning
("the identity of the owner of this website is known with a high degree
of reliability") and therefore, we should also stay away from the colour
green. A little highlight or similar annotation on the lock might be a
good place to start. After all, we can change the UI presentation later
to be more or less visible.
But, like all security UI indicators, the question is: what do you
expect people to do when they see this (or the lack of it)? Do you
expect lack of this indicator to drive site choice decisions?
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
