- From: John Yeuk Hon Wong <gokoproject@gmail.com>
- Date: Mon, 08 Sep 2014 20:09:17 -0400
- To: public-webappsec@w3.org
- Message-ID: <540E452D.6000500@gmail.com>
On 9/8/14 4:54 PM, Erlend Oftedal wrote: > Hi > > Reading the chapter this blog post > http://marc.durdin.net/2014/09/risks-with-third-party-scripts-on-internet-banking-sites/ > made me think about the problem of using third party scripts where the > SSL/TLS is poorly configured, and how we could deal with that. > Maybe I misunderstood the motivation... but As the blog post says third-party script can be hijacked at any given time. If you use a third-party script, you are trusting the organization hosting the script on behalf of you. You include them because you **trust** them. To me, the best way to do that is browsers reject weak ciphers at some point in the future, similar to Chrome's goal to deprecate SHA1-certificate in the next few years. There was a small discussion about this on IETF based on quick search. [1] The other question I have is how many insecure ciphers are people using and how many are still honored by modern browsers? All? [1]: http://www.ietf.org/mail-archive/web/tls/current/msg09789.html John
Received on Tuesday, 9 September 2014 00:09:46 UTC