On Sun, Sep 13, 2015 at 2:56 PM, AnilG wrote:
Thanks Chris, I'll follow up with IT on this question.
>
You can check yourself if the chain you see chains up to the right root. In
Chrome, click on the lock icon in the location bar, click the Connection
Tab, and then
On Fri, Jun 5, 2015 at 8:04 AM, Peter Kurrasch fhw...@gmail.com wrote:
Certificate Transparency gets us what we want, I think. CT works
globally, and is safer, and significantly changes the trust equation:
* Reduces to marginal/effectively destroys the attack value of mis-issuance
Please
On Wed, Oct 29, 2014 at 2:02 PM, Dean Coclin dean.j.coc...@verizon.net wrote:
But many people do in fact look at the security indicators. If that
statement were true, why do fraudsters bother to get SSL certs (mostly DV)
for their phishing websites? It's because they know that people are
On Mon, Oct 27, 2014 at 10:58 AM, John Nagle na...@sitetruth.com wrote:
It's appropriate for browsers to show that new information with
users. In the browser, there are two issues: 1) detecting OV
certs, which requires a list of per-CA OIDs, and 2) displaying
something in the GUI.
If users
On Tue, Sep 23, 2014 at 11:08 AM, fhw...@gmail.com wrote:
So what is the reason to use HSTS over a server initiated redirect? Seems to
me the latter would provide greater security whereas the former is easy to
bypass.
You have it backwards.
http://www.thoughtcrime.org/software/sslstrip/
On Sat, Sep 20, 2014 at 1:10 AM, Anne van Kesteren ann...@annevk.nl wrote:
My point is that UI indicators should reflect the reality of actual
technical security boundaries. Unless we actually create a boundary,
we shouldn't show that we have.
So why do you show special UI for EV?
For
On Mon, Sep 22, 2014 at 5:56 AM, Henri Sivonen hsivo...@hsivonen.fi wrote:
-- HTTP Strict Transport Security
Yes, but I think this requirement shouldn't apply to subresources for
the page to qualify, since top-level HSTS together with the No mixed
content requirement mean that there's no
On Fri, Sep 19, 2014 at 4:52 AM, Anne van Kesteren ann...@annevk.nl wrote:
Please keep in mind that the origin is the security boundary on the
web, and is defined as being (scheme, host, port).
And optional additional data:
https://html.spec.whatwg.org/multipage/browsers.html#origin
I
On Thu, Sep 18, 2014 at 5:15 PM, diaf...@gmail.com wrote:
Instead of trying to pile on more clutter to the lock/warning/globe states,
how about letting the user determine the threshold of those states?
The default would be what they are now, but perhaps in about:config you could
set the
On Tue, Aug 26, 2014 at 5:18 PM, Matt Palmer mpal...@hezmatt.org wrote:
On an unrelated point, I'd like to thank you, Kathleen, for the work you do
in this area. Going over the minutiae of audit reports can't be a
particularly fun job, but it *is* a very necessary one, so thanks for being
FWIW, that's a misquote; I didn't write that.
On Aug 12, 2014 4:38 AM, Peter Gutmann pgut...@cs.auckland.ac.nz wrote:
[Apologies if you've seen this before, it looks like up to a week's worth
of
mail from here has been lost, this is a resend of the backlog]
Chris Palmer pal...@google.com
On Wed, Aug 6, 2014 at 12:02 AM, andrew.be...@gmail.com wrote:
I'm all for pushing people onto SSL, and of course if you stigmatise
non-secure connections the demand for SSL increases and CDNs will need to
compete on their ability to support it at a reasonable cost. But there's a
chicken
On Tue, Jul 22, 2014 at 2:00 PM, Brian Smith br...@briansmith.org wrote:
Firefox's cert override mechanism uses a different pinning mechanism
than the key pinning feature. Basically, Firefox saves a tuple
(domain, port, cert fingerprint, isDomainMismatch,
isValidityPeriodProblem,
On Wed, Dec 11, 2013 at 2:48 PM, Jeremy Rowley
jeremy.row...@digicert.com wrote:
If you are granting more time, I have a whole bunch of customers who are not
happy about the 2013 cutoff. Extending it for some CAs is patently unfair
to those of us who have taken a hard stance on the deadline
14 matches
Mail list logo