Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: fyi: Strict Transport Security (STS) specification
1 view
Skip to first unread message
Florian Weimer
Oct 10, 2009, 4:19:07 PM10/10/09
to dev-se...@lists.mozilla.org
* JeffH:
> We wish to bring the following draft specification to your attention..
>
> Strict Transport Security (STS)
> <http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-
> strict-transport-sec-05.plain.html>
Does this address the lack of enforcement of the EV certificate
security level (i.e. it is usually sufficient to get any
browser-recognized certificate if I want to attack an EV site,
*without* disabling the EV UI)?
Adam Barth
Oct 10, 2009, 4:25:30 PM10/10/09
to Florian Weimer, dev-se...@lists.mozilla.org
On Sat, Oct 10, 2009 at 1:19 PM, Florian Weimer <f...@deneb.enyo.de> wrote:
> Does this address the lack of enforcement of the EV certificate
> security level (i.e. it is usually sufficient to get any
> browser-recognized certificate if I want to attack an EV site,
> *without* disabling the EV UI)?
> Does this address the lack of enforcement of the EV certificate
> security level (i.e. it is usually sufficient to get any
> browser-recognized certificate if I want to attack an EV site,
> *without* disabling the EV UI)?
Strict-Transport-Security does not address that threat model. Mozilla
has proposed an extension to STS, called lockCA, that does address
that threat model.
Adam
0 new messages