Of possible interest to [email protected] denizens...
[ note also that NoScript implements the (draft) STS spec as of version 1.9.8.9 ] ------- Forwarded Message Date: Fri, 18 Sep 2009 18:00:50 -0700 From: =JeffH <[email protected]> To: [email protected] cc: Jeff Hodges <[email protected]>, Adam Barth <[email protected]>, Collin Jackson <[email protected]> Subject: fyi: Strict Transport Security specification Hi, We wish to bring the following draft specification to your attention.. Strict Transport Security (STS) <http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges- strict-transport-sec-05.plain.html> It specifies a refined approach to that described by Jackson and Barth in.. ForceHTTPS: Protecting High-Security Web Sites from Network Attacks https://crypto.stanford.edu/forcehttps/ An experimental implementation of STS will be appearing in the Google Chrome dev channel in the not-too-distant future.. Google Chrome 4.0.211.0 (dev channel) Sid Stamm (of Mozilla) has a Firefox extension presently implementing an earlier revision of this specification (a soon-to-appear v2.0 of the extension will implement the present spec version).. Force-TLS 1.0.3 https://addons.mozilla.org/en-US/firefox/addon/12714 Sid also discusses this approach in this blog post.. Locking up the valuables: Opt-in security with ForceTLS <http://blog.mozilla.com/security/2009/07/27/locking-up-the-valuables-opt-in-se curity-with-forcetls/> We are interested in bringing this work to W3C WebApps Working Group as a Recommendation-track specification. We are willing to license it under W3C terms, we understand that it may change due to implementer or public feedback, and that should it be of interest to other implementors, we're willing to contribute to editorial and test suite efforts. We're looking forward to the WebApps WG's feedback and comments. Thanks, =JeffH PayPal InfoSec Team Collin Jackson Carnegie Mellon University Adam Barth University of California Berkeley ------- End of Forwarded Message _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
