Re: Firefox security too strict (HSTS?)?

On Sun, Sep 13, 2015 at 2:56 PM, AnilG wrote: Thanks Chris, I'll follow up with IT on this question. > You can check yourself if the chain you see chains up to the right root. In Chrome, click on the lock icon in the location bar, click the Connection Tab, and then

Re: CA scope transparency (was Re: Name-constraining government CAs, or not)

On Fri, Jun 5, 2015 at 8:04 AM, Peter Kurrasch fhw...@gmail.com wrote: Certificate Transparency gets us what we want, I think. CT works globally, and is safer, and significantly changes the trust equation: ‎ * Reduces to marginal/effectively destroys the attack value of mis-issuance Please

Re: Re: Organization info in certs not being properly recognized byFirefox

On Wed, Oct 29, 2014 at 2:02 PM, Dean Coclin dean.j.coc...@verizon.net wrote: But many people do in fact look at the security indicators. If that statement were true, why do fraudsters bother to get SSL certs (mostly DV) for their phishing websites? It's because they know that people are

Re: Organization info in certs not being properly recognized byFirefox

On Mon, Oct 27, 2014 at 10:58 AM, John Nagle na...@sitetruth.com wrote: It's appropriate for browsers to show that new information with users. In the browser, there are two issues: 1) detecting OV certs, which requires a list of per-CA OIDs, and 2) displaying something in the GUI. If users

Re: Indicators for high-security features

On Tue, Sep 23, 2014 at 11:08 AM, fhw...@gmail.com wrote: ‎So what is the reason to use HSTS over a server initiated redirect? Seems to me the latter would provide greater security whereas the former is easy to bypass. You have it backwards. http://www.thoughtcrime.org/software/sslstrip/

Re: Indicators for high-security features

On Sat, Sep 20, 2014 at 1:10 AM, Anne van Kesteren ann...@annevk.nl wrote: My point is that UI indicators should reflect the reality of actual technical security boundaries. Unless we actually create a boundary, we shouldn't show that we have. So why do you show special UI for EV? For

Re: Indicators for high-security features

On Mon, Sep 22, 2014 at 5:56 AM, Henri Sivonen hsivo...@hsivonen.fi wrote: -- HTTP Strict Transport Security Yes, but I think this requirement shouldn't apply to subresources for the page to qualify, since top-level HSTS together with the No mixed content requirement mean that there's no

Re: Indicators for high-security features

On Fri, Sep 19, 2014 at 4:52 AM, Anne van Kesteren ann...@annevk.nl wrote: Please keep in mind that the origin is the security boundary on the web, and is defined as being (scheme, host, port). And optional additional data: https://html.spec.whatwg.org/multipage/browsers.html#origin I

Re: Indicators for high-security features

On Thu, Sep 18, 2014 at 5:15 PM, diaf...@gmail.com wrote: Instead of trying to pile on more clutter to the lock/warning/globe states, how about letting the user determine the threshold of those states? The default would be what they are now, but perhaps in about:config you could set the

Re: Allow Redaction of issues detailed in BR Audit statements?

On Tue, Aug 26, 2014 at 5:18 PM, Matt Palmer mpal...@hezmatt.org wrote: On an unrelated point, I'd like to thank you, Kathleen, for the work you do in this area. Going over the minutiae of audit reports can't be a particularly fun job, but it *is* a very necessary one, so thanks for being

Re: Proposal: Switch generic icon to negative feedback for non-https sites

FWIW, that's a misquote; I didn't write that. On Aug 12, 2014 4:38 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote: [Apologies if you've seen this before, it looks like up to a week's worth of mail from here has been lost, this is a resend of the backlog] Chris Palmer pal...@google.com

Re: Proposal: Switch generic icon to negative feedback for non-https sites

On Wed, Aug 6, 2014 at 12:02 AM, andrew.be...@gmail.com wrote: I'm all for pushing people onto SSL, and of course if you stigmatise non-secure connections the demand for SSL increases and CDNs will need to compete on their ability to support it at a reasonable cost. But there's a chicken

Re: Proposal: Switch generic icon to negative feedback for non-https sites

On Tue, Jul 22, 2014 at 2:00 PM, Brian Smith br...@briansmith.org wrote: Firefox's cert override mechanism uses a different pinning mechanism than the key pinning feature. Basically, Firefox saves a tuple (domain, port, cert fingerprint, isDomainMismatch, isValidityPeriodProblem,

Re: Exceptions to 1024-bit cert revocation requirement

On Wed, Dec 11, 2013 at 2:48 PM, Jeremy Rowley jeremy.row...@digicert.com wrote: If you are granting more time, I have a whole bunch of customers who are not happy about the 2013 cutoff. Extending it for some CAs is patently unfair to those of us who have taken a hard stance on the deadline