[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] fyi: Strict Transport Security (STS) specification

From: =JeffH <Jeff.Hodges@xxxxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] fyi: Strict Transport Security (STS) specification
Date: Wed, 23 Sep 2009 10:19:41 -0700

Of possible interest to websecurity@xxxxxxxxxxxxx denizens...

[ note also that NoScript will be implementing the (draft) STS spec in version 1.9.8.9 ]

- ------- Forwarded Message

Date:    Fri, 18 Sep 2009 18:00:50 -0700
From:    =JeffH <Jeff.Hodges@xxxxxxxxxxxxxxxxx>
To:      public-webapps@xxxxxx
cc:      Jeff Hodges <jeff.hodges@xxxxxxxxxx>,
	 Adam Barth <abarth@xxxxxxxxxxxxxxxxx>,
	 Collin Jackson <collin.jackson@xxxxxxxxxx>
Subject: fyi: Strict Transport Security specification

Hi,

We wish to bring the following draft specification to your attention..

     Strict Transport Security (STS)
<http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-
strict-transport-sec-05.plain.html>


It specifies a refined approach to that described by Jackson and Barth in..

     ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
     https://crypto.stanford.edu/forcehttps/


An experimental implementation of STS will be appearing in the Google Chrome
dev channel in the not-too-distant future..

     Google Chrome 4.0.211.0 (dev channel)


Sid Stamm (of Mozilla) has a Firefox extension presently implementing
an earlier revision of this specification (a soon-to-appear v2.0 of
the extension will implement the present spec version)..

     Force-TLS 1.0.3
     https://addons.mozilla.org/en-US/firefox/addon/12714

Sid also discusses this approach in this blog post..

     Locking up the valuables: Opt-in security with ForceTLS
<http://blog.mozilla.com/security/2009/07/27/locking-up-the-valuables-opt-in-se
curity-with-forcetls/>


We are interested in bringing this work to W3C WebApps Working Group as a
Recommendation-track specification. We are willing to license it under W3C
terms, we understand that it may change due to implementer or public feedback,
and that should it be of interest to other implementors, we're willing to
contribute to editorial and test suite efforts.

We're looking forward to the WebApps WG's feedback and comments.

Thanks,

=JeffH
PayPal InfoSec Team

Collin Jackson
Carnegie Mellon University

Adam Barth
University of California Berkeley

- ------- End of Forwarded Message

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Prev by Date: RE: [WEB SECURITY] WAF "Weakening": Has anyone else witnessed this or has this already been discussed?
Next by Date: [WEB SECURITY] Looking for feedback from companies that use static analysis security tools
Previous by thread: [WEB SECURITY] WAF "Weakening": Has anyone else witnessed this or has this already been discussed?
Next by thread: [WEB SECURITY] Looking for feedback from companies that use static analysis security tools
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site