Subject: Re: [TLS] fyi: paper on compelled, certificate creation attack and
applicable appliance
From: Adam Langley <[email protected]>
Date: Thu, 25 Mar 2010 13:57:47 -0400 (10:57 PDT)
To: Yoav Nir <[email protected]>
Cc: Peter Gutmann <[email protected]>,
"[email protected]" <[email protected]>, "[email protected]" <[email protected]>,
"[email protected]" <[email protected]>
On Wed, Mar 24, 2010 at 10:22 PM, Yoav Nir <[email protected]> wrote:
>
http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html
> or
> http://en.wikipedia.org/wiki/Strict_Transport_Security
I haven't mentioned this on the list yet, and it's not an answer to
the problems in this papers, but we are actively welcoming entries on
the Preloaded STS list. If you know someone who runs a major HTTPS
site, please mention it.
http://dev.chromium.org/sts:
Preloaded STS sites
There is still a window where a user who has a fresh install, or who
wipes out their local state, is vulnerable. Because of that, we'll be
starting a "Preloaded STS" list. These domains will be configured for
STS out of the box. In the beginning, this will be hardcoded into the
binary. As it (hopefully) grows, it can change into a list this is
shared across browsers, like the safe-browsing database is today.
If you own a site that you would like to see included in the preloaded
STS list, contact [email protected].
Current members of the preloaded STS list:
* www.paypal.com
AGL
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
