On 05/22/2013 06:52 PM, Ryan Sleevi wrote:
> The view is that it's still a legitimate error for the site operator, in
> that any user without HSTS protections (or with expired HSTS) is still at
> risk. While HSTS may be providing protection to the user, the site itself
> is still configured to serv
On 5/22/2013 3:29 PM, Trevor Perrin wrote:
The draft discusses "Preloaded Pin Lists", which are presumably conveyed
to the UA from some 3rd party (eg browser vendor). It seems reasonable
for such lists to be created or kept fresh by scanning web sites. I
believe Mozilla is taking this approach
Hi all,
Looks like these are the options:
1. No hard limits, but allow UAs to limit the pin time. Suggest a month
2. Set a hard limit of one month in the RFC. Longer pins are truncated.
3. No hard limits, but allow the UA to skip hard-fail if a pin hasn't been
observed for some time (like a mon
Firefox's Mixed Content Blocker is enabled by default in Firefox 23+.
It will block Mixed Active Content, but allow Mixed Passive Content
(unless the user explicitly turns it off by setting
security.mixed_content.block_display_content to true).
If an HSTS site includes Mixed Active Content, w
On Wed, May 22, 2013 at 2:02 PM, Tobias Gondrom
wrote:
>
> And maybe a question to go a step further:
> Would you agree that if we would do a 30-day hard limit as you propose,
> this would basically mean that all less frequent banking/paypal/... users
> MUST (or a very strong SHOULD) use such a we
On Wed, May 22, 2013 2:56 pm, Daniel Kahn Gillmor wrote:
> hi websec folks--
>
> I am wondering what people think the proper intersection is between a
> web browser's mixed-content warnings and HSTS.
>
> For example, if https://example.net has asserted
> Strict-Transport-Security: max-age=1576
On Wed, May 22, 2013 2:46 pm, Tobias Gondrom wrote:
> On 22/05/13 22:21, Yoav Nir wrote:
> > Hi, Tobias
> >
> > On May 23, 2013, at 12:02 AM, Tobias Gondrom
> > mailto:tobias.gond...@gondrom.org>> wrote:
> >
> >
> >
> >>> On Thu, May 16, 2013 at 12:58 AM, Tobias Gondrom
> >>> mailto:tobias.gond..
Hi Yoav,
On Tue, May 21, 2013 at 3:26 PM, Yoav Nir wrote:
> Hi Trevor
>
>
>
> The suggestion that web spiders also note pins is interesting, but it's
> not mentioned in the draft at all.
>
I think this possibility should be mentioned.
The draft discusses "Preloaded Pin Lists", which are pr
hi websec folks--
I am wondering what people think the proper intersection is between a
web browser's mixed-content warnings and HSTS.
For example, if https://example.net has asserted
Strict-Transport-Security: max-age=15768000 but the homepage at
https://example.net/ also contains
http://exam
On 22/05/13 22:21, Yoav Nir wrote:
> Hi, Tobias
>
> On May 23, 2013, at 12:02 AM, Tobias Gondrom
> mailto:tobias.gond...@gondrom.org>> wrote:
>
>
>
>>> On Thu, May 16, 2013 at 12:58 AM, Tobias Gondrom
>>> mailto:tobias.gond...@gondrom.org>> wrote:
>>>
>>>
>>> as mentioned before: I believe a t
Hi, Tobias
On May 23, 2013, at 12:02 AM, Tobias Gondrom
mailto:tobias.gond...@gondrom.org>> wrote:
On Thu, May 16, 2013 at 12:58 AM, Tobias Gondrom
mailto:tobias.gond...@gondrom.org>> wrote:
as mentioned before: I believe a time limit of 1 month is too short
considering that some of the high
Hi Trevor, hi all,
thanks for the thoughts.
Maybe a few comments and a question inline.
On 18/05/13 18:40, Trevor Perrin wrote:
>
> Hi Tobias, all,
>
> I think Tobias gives a fair summary of the arguments against a 30-day
> spec limit. Let me summarize the opposing arguments:
>
>
> On Thu, Ma
12 matches
Mail list logo