On Mon, 6 Jul 2020 19:22:22 +0200 Matthias van de Meent via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> I notice that a lot of Subscriber Certificates contain https-based > URLs (e.g. PKIOverheid/KPN, Sectigo, DigiCert), and that other > http-based urls redirect directly to an https-based website (e.g. > LetsEncrypt, GoDaddy). A piece of good news in this space is that these documents are generally intended to be accessed with a web browser, as a result the browser gets to interpret the URL and may choose to upgrade to HTTPS based on considerations including: * Policy of the host, or any parent domain (even a few TLDs are HSTS preloaded meaning any HTTP URL in those domains will be treated as if it was HTTPS by a web browser) * Policy of the user (e.g. HTTPS-Everywhere) can arbitrarily upgrade URLs regardless of where they come from. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy