CSP: Minimum cipher strength from Erlend Oftedal on 2014-09-08 (public-webappsec@w3.org from September 2014)

From: Erlend Oftedal <erlend@oftedal.no>
Date: Mon, 8 Sep 2014 22:54:46 +0200
To: public-webappsec@w3.org
Message-ID: <CAHnknQWJa43C1xkkbyxR4F3X5YBXTJSTJvjj+av27tAjqQkhJw@mail.gmail.com>

Hi

Reading the chapter this blog post
http://marc.durdin.net/2014/09/risks-with-third-party-scripts-on-internet-banking-sites/
 made me think about the problem of using third party scripts where the
SSL/TLS is poorly configured, and how we could deal with that.

One option could be to put a minimum cipher strength policy into CSP, which
would cause the browser to not load pages, scripts etc. if the policy was
not honoured.

I'm not sure how one would specify this policy, but maybe minimum
keylengths for approved algorithms.

What do you think? Would this make any sense? Too difficult to implement or
specify the policy?

Best regards,
Erlend

Received on Monday, 8 September 2014 20:55:14 UTC