Re: Indicators for high-security features

On Mon, Sep 22, 2014 at 10:52 PM, Chris Palmer pal...@google.com wrote: Quite so. My point in this thread was: If we are going to change the definition of what an origin is, the most security-meaningful change would be to tie cryptographic identities to origins, rather than anything else; and,

Re: Indicators for high-security features

- Original Message - From: s...@gmx.ch To: dev-security-policy@lists.mozilla.org Sent: Monday, 22 September, 2014 9:28:39 PM Subject: Re: Indicators for high-security features Am 22.09.2014 um 14:56 schrieb Henri Sivonen: On Wed, Sep 17, 2014 at 6:20 PM, Richard Barnes

Re: Mixed content (was: Indicators for high-security features)

On Tue, Sep 23, 2014 at 8:08 PM, fhw...@gmail.com wrote: I'm sure blocking such http requests would break some sites but has anyone performed research or analysis into how big the problem is? ‎Is there a user option to force them to be blocked? Download Firefox Nightly, browse the web, and

Re: Indicators for high-security features

On Tue, Sep 23, 2014 at 11:08 AM, fhw...@gmail.com wrote: ‎So what is the reason to use HSTS over a server initiated redirect? Seems to me the latter would provide greater security whereas the former is easy to bypass. You have it backwards. http://www.thoughtcrime.org/software/sslstrip/

Re: Indicators for high-security features

On Tue, Sep 23, 2014 at 01:08:13PM -0500, fhw...@gmail.com wrote: So what is the reason to use HSTS over a server initiated redirect? Seems to me the latter would provide greater security whereas the former is easy to bypass.  On the contrary, HSTS is much harder to bypass, because the browser

KIR S.A. Root Inclusion Request

Krajowa Izba Rozliczeniowa (KIR) S.A. has applied to include the “SZAFIR ROOT CA” root certificate and enable all three trust bits. KIR S.A. is a private corporation in Poland which currently mainly issues qualified certificates for general public and plans to issue non-qualified certificates

Re: KIR S.A. Root Inclusion Request

One thing leaps out at me immediately: these test certificates. They appear to be issued from the same CA as the regular certificates, but s3.2 states, In case of test certificates they may be issued remotely *without the necessity to verify the subscriber's identity. That seems... bad.

HSTS (was: Indicators for high-security features)

So I read through RFC 6797 and see that ‎some of my concerns are addressed there. Still, I would like to have a better understanding of Mozilla's implementation since there is user agent flexibility that's open to interpretation. One other thing that isn't clear to me is how complete the Mozilla