W3C home > Mailing lists > Public > public-html@w3.org > September 2009

Re: [whatwg] fyi: Strict Transport Security specification

From: Giorgio Maone <g.maone@informaction.com>
Date: Sun, 20 Sep 2009 11:40:33 +0200
Message-ID: <4AB5F891.9050504@informaction.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>
CC: W3C HTML WG <public-html@w3.org>, whatwg@whatwg.org
Hi,

fwiw, NoScript 1.9.8.9 (next stable release, to be published during the 
incoming week), will support STS according to the current specification.

I had heard just yesterday from a leader Asian e-commerce player who 
wants to deploy it as soon as possible (even in the beginning of October).
I'm chatting with their security staff right now, and they're enthusiast 
of this development (especially of WebKit support).

Cheers
--
Giorgio Maone
http://hackademix.net
http://noscript.net

=JeffH wrote, On 20/09/2009 1.59:
> Of possible interest to public-html@ & whatwg@ denizens...
>
> [apologies for duplication]
>
> ------- Forwarded Message
>
> Date:    Fri, 18 Sep 2009 18:00:50 -0700
> From:    =JeffH <Jeff.Hodges@KingsMountain.com>
> To:      public-webapps@w3.org
> cc:      Jeff Hodges <jeff.hodges@paypal.com>,
>      Adam Barth <abarth@eecs.berkeley.edu>,
>      Collin Jackson <collin.jackson@sv.cmu.edu>
> Subject: fyi: Strict Transport Security specification
>
> Hi,
>
> We wish to bring the following draft specification to your attention..
>
>      Strict Transport Security (STS)
> <http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges- 
>
> strict-transport-sec-05.plain.html>
>
>
> It specifies a refined approach to that described by Jackson and Barth 
> in..
>
>      ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
>      https://crypto.stanford.edu/forcehttps/
>
>
> An experimental implementation of STS will be appearing in the Google 
> Chrome
> dev channel in the not-too-distant future..
>
>      Google Chrome 4.0.211.0 (dev channel)
>
>
> Sid Stamm (of Mozilla) has a Firefox extension presently implementing
> an earlier revision of this specification (a soon-to-appear v2.0 of
> the extension will implement the present spec version)..
>
>      Force-TLS 1.0.3
>      https://addons.mozilla.org/en-US/firefox/addon/12714
>
> Sid also discusses this approach in this blog post..
>
>      Locking up the valuables: Opt-in security with ForceTLS
> <http://blog.mozilla.com/security/2009/07/27/locking-up-the-valuables-opt-in-se 
>
> curity-with-forcetls/>
>
>
> We are interested in bringing this work to W3C WebApps Working Group as a
> Recommendation-track specification. We are willing to license it under 
> W3C
> terms, we understand that it may change due to implementer or public 
> feedback,
> and that should it be of interest to other implementors, we're willing to
> contribute to editorial and test suite efforts.
>
> We're looking forward to the WebApps WG's feedback and comments.
>
> Thanks,
>
> =JeffH
> PayPal InfoSec Team
>
> Collin Jackson
> Carnegie Mellon University
>
> Adam Barth
> University of California Berkeley
>
> ------- End of Forwarded Message
>
>
>
>
Received on Sunday, 20 September 2009 11:50:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:48 GMT