- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 6 Sep 2016 16:07:40 +0200
- To: GALINDO Virginie <Virginie.Galindo@gemalto.com>
- Cc: "public-web-security@w3.org" <public-web-security@w3.org>
- Message-ID: <CAKaEYhJowUweRJgQKu2Jjs_VOV_d4sVyzY3xeaZwL1S1PcJeRA@mail.gmail.com>
On 6 September 2016 at 15:41, GALINDO Virginie <Virginie.Galindo@gemalto.com > wrote: > Melvin, > Cant Let's encrypt help on this matter ? > Lets encrypt is awesome, but it still doesnt do wildcard certificates. >From a security POV it's useful to have control over different origins, because tends to be a security boundary. For my use case, I would like to provision users with cloud storage. The ideal way to do this, at present time, is to have one user per domain because of the behaviour of javascript in most browsers. It's still hard because you have to type in a subdomain for each user and then update your cert (shutting down all traffic) when a new user is added, then there are also limits on how often you can do this. Hopefully services such as letsencrypt will add this feature in future, right now, https everywhere is still easy for the big guy and hard(er) for the little guy. > Virginie > > > ---- Melvin Carvalho a écrit ---- > > > > > On 6 September 2016 at 11:25, GALINDO Virginie < > Virginie.Galindo@gemalto.com> wrote: > >> Dear all, >> >> FYI, a github project listing security good practices for development >> (including web dev). >> >> https://github.com/FallibleInc/security-guide-for- >> developers/blob/master/security-checklist.md >> <https://github.com/FallibleInc/security-guide-for-developers/blob/master/security-checklist.md?ref=producthunt> >> > > Re point 1 use HTTPS "everywhere", it would be nice, but that's simply not > affordable for many developers with wildcard certificates still being of > the order or $100 per year. > > >> >> Regards, >> >> Virginie >> >> >> ------------------------------ >> This message and any attachments are intended solely for the addressees >> and may contain confidential information. Any unauthorized use or >> disclosure, either whole or partial, is prohibited. >> E-mails are susceptible to alteration. Our company shall not be liable >> for the message if altered, changed or falsified. If you are not the >> intended recipient of this message, please delete it and notify the sender. >> Although all reasonable efforts have been made to keep this transmission >> free from viruses, the sender will not be liable for damages caused by a >> transmitted virus. >> > > ------------------------------ > This message and any attachments are intended solely for the addressees > and may contain confidential information. Any unauthorized use or > disclosure, either whole or partial, is prohibited. > E-mails are susceptible to alteration. Our company shall not be liable for > the message if altered, changed or falsified. If you are not the intended > recipient of this message, please delete it and notify the sender. > Although all reasonable efforts have been made to keep this transmission > free from viruses, the sender will not be liable for damages caused by a > transmitted virus. >
Received on Tuesday, 6 September 2016 14:08:09 UTC