Hi I would support your idea, but it's quite hard to implement it. If a server use TLS 1.2 and HSTS, you still don't know if the connection is really secure. But it would be easier if Firefox would show more details about protocol, ciphers etc.
Am 17.09.2014 um 17:20 schrieb Richard Barnes: > Hey all, > > Anne suggested an idea to me that I thought would be interesting for this > group. Consider this email a rough sketch of an idea, not any sort of plan. > > There are a bunch of security features right now that I think we all agree > improve security over and above just using HTTPS: > -- HTTP Strict Transport Security > -- HTTP Public Key Pinning > -- TLS 1.2+ > -- Certificate Transparency > -- Use of ciphersuites with forward secrecy > -- No mixed content > -- Content Security Policy (?) > -- Sub-resource integrity (?) > > It would be good if we could create incentives for sites to turn on these > features. EFF has already seen some sites trying to turn things green on > their "Encrypt the Web Report" [1]. Should we consider creating a suite of > features that comprise a "high-security" web site, and create some UI to > express that to the user? > > We could invent new UI for this (e.g., a green lock icon), or we could > overlay these requirements on the EV criteria. Chrome already does this to > some extent, downgrading the EV indicator to DV if the site attempts to POST > to an "http://"; URI or (soon) if the site doesn't do CT. > > What would people think about creating a list of security features that must > be enabled in order to get special UI (EV or otherwise)? We would obviously > want to coordinate this with the other browser vendors, and to some degree > with site operators (though the whole point here is to lean on them to do > better!) > > Thoughts? Suggestions? > > Thanks, > --Richard > > [1] https://www.eff.org/encrypt-the-web-report > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
