On Thu, Feb 15, 2018 at 6:34 AM, Kevin Chadwick <[email protected]> wrote:
> The cookies etc. should be SSL only. Particular pages enforced, sure.
>
> Enforcing TLS with HSTS sitewide means that users with failed
> bios/laptop batteries have to know to reset their clock or get used to
> bypassing SSL warnings or use out of date browsers to access sites.
> A fairly common problem, not good. Think real world, please. This hurts
> the most vulnerable.
>
> Another solution may be to remove the cert is not valid YET
> restriction but that is a can of worms.
>
I'm not sure this can be worked around. A setup where time is not
pulled from the network is abnormal now, and most people who have such
a system soon realize what the issue is. Some RTCs choose very poor
oscillators or resonators and will lose seconds a week in some cases.
Disregarding the intent of the certificates does not seem to be a good
idea.
The certificate warnings are a good reminder to update my clock
(seriously). Perhaps offer this information on the error page?
Cheers,
R0b0t1
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
