W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

CSP: Minimum cipher strength

From: Erlend Oftedal <erlend@oftedal.no>
Date: Mon, 8 Sep 2014 22:54:46 +0200
Message-ID: <CAHnknQWJa43C1xkkbyxR4F3X5YBXTJSTJvjj+av27tAjqQkhJw@mail.gmail.com>
To: public-webappsec@w3.org
Hi

Reading the chapter this blog post
http://marc.durdin.net/2014/09/risks-with-third-party-scripts-on-internet-banking-sites/
 made me think about the problem of using third party scripts where the
SSL/TLS is poorly configured, and how we could deal with that.

One option could be to put a minimum cipher strength policy into CSP, which
would cause the browser to not load pages, scripts etc. if the policy was
not honoured.

I'm not sure how one would specify this policy, but maybe minimum
keylengths for approved algorithms.

What do you think? Would this make any sense? Too difficult to implement or
specify the policy?

Best regards,
Erlend
Received on Monday, 8 September 2014 20:55:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC