W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2014

Re: CSP: Minimum cipher strength

From: Mike West <mkwst@google.com>
Date: Wed, 10 Sep 2014 09:57:30 +0200
Message-ID: <CAKXHy=eWJUApsk6VVCKrGMh1a8u1ZmFBLYt2cD=EKDpAoxBfQA@mail.gmail.com>
To: Frederik Braun <fbraun@mozilla.com>, Chris Palmer <palmer@google.com>, Ryan Sleevi <sleevi@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
+palmer, sleevi

Limiting the cipher suites which are acceptable for subresources seems
brittle. User agents should simply refuse to accept insecurely configured
SSL, rather than asking sites to keep up to date with the latest
understanding of the crypto landscape.

This feels like something that might be better suited to HSTS/PKP than CSP.
In particular, some sort of flag on those headers that would prevent
mixed-pinning might be a valuable addition.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Sep 9, 2014 at 11:03 AM, Frederik Braun <fbraun@mozilla.com> wrote:

> On 08.09.2014 22:54, Erlend Oftedal wrote:
> > Hi
> >
> > Reading the chapter this blog
> > post
> http://marc.durdin.net/2014/09/risks-with-third-party-scripts-on-internet-banking-sites/
> made
> > me think about the problem of using third party scripts where the
> > SSL/TLS is poorly configured, and how we could deal with that.
>
> You can reduce the risk of trusting third party scripts with
> http://www.w3.org/TR/SRI/ ;-)
>
>
Received on Wednesday, 10 September 2014 07:58:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:06 UTC