W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP: Minimum cipher strength

From: John Yeuk Hon Wong <gokoproject@gmail.com>
Date: Mon, 08 Sep 2014 20:09:17 -0400
Message-ID: <540E452D.6000500@gmail.com>
To: public-webappsec@w3.org
On 9/8/14 4:54 PM, Erlend Oftedal wrote:
> Hi
>
> Reading the chapter this blog post 
> http://marc.durdin.net/2014/09/risks-with-third-party-scripts-on-internet-banking-sites/ 
> made me think about the problem of using third party scripts where the 
> SSL/TLS is poorly configured, and how we could deal with that.
>
Maybe I misunderstood the motivation... but

As the blog post says third-party script can be hijacked at any given time.
If you use a third-party script, you are trusting the organization
hosting the script on behalf of you. You include them because you
**trust** them.

To me, the best way to do that is browsers reject weak ciphers at some point
in the future, similar to Chrome's goal to deprecate SHA1-certificate in
the next few years. There was a small discussion about this on IETF based on
quick search. [1] The other question I have is how many insecure ciphers
are people using and how many are still honored by modern browsers? All?

[1]: http://www.ietf.org/mail-archive/web/tls/current/msg09789.html

John
Received on Tuesday, 9 September 2014 00:09:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC