Hey all, Anne suggested an idea to me that I thought would be interesting for this group. Consider this email a rough sketch of an idea, not any sort of plan.
There are a bunch of security features right now that I think we all agree improve security over and above just using HTTPS: -- HTTP Strict Transport Security -- HTTP Public Key Pinning -- TLS 1.2+ -- Certificate Transparency -- Use of ciphersuites with forward secrecy -- No mixed content -- Content Security Policy (?) -- Sub-resource integrity (?) It would be good if we could create incentives for sites to turn on these features. EFF has already seen some sites trying to turn things green on their "Encrypt the Web Report" [1]. Should we consider creating a suite of features that comprise a "high-security" web site, and create some UI to express that to the user? We could invent new UI for this (e.g., a green lock icon), or we could overlay these requirements on the EV criteria. Chrome already does this to some extent, downgrading the EV indicator to DV if the site attempts to POST to an "http://"; URI or (soon) if the site doesn't do CT. What would people think about creating a list of security features that must be enabled in order to get special UI (EV or otherwise)? We would obviously want to coordinate this with the other browser vendors, and to some degree with site operators (though the whole point here is to lean on them to do better!) Thoughts? Suggestions? Thanks, --Richard [1] https://www.eff.org/encrypt-the-web-report _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
