Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 12 Feb 2016 09:58:47 -0500
From: David Leo <httpsonly.github.io@...il.com>
To: oss-security@...ts.openwall.com
Cc: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: Re: HTTPS Only (Open Source, Python)

Yes, Mozilla said, "Gradually phasing out access to browser features
for non-secure websites", in April 2015. After more than six months,
they have done nothing useful.

The Chrome team wanted the same stuff:
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Again, nothing significant has been achieved yet.

And there is HTTPS Everywhere, with SO MANY rules:
https://www.eff.org/https-everywhere/atlas/
It's still able to access HTTP by default, but there is "Block all
HTTP requests". The problem: nothing happens when browser tries HTTP -
there should be warning(it's incorrect behavior) and options(try
HTTPS, Google Cache, etc). People complained, months ago:
https://github.com/EFForg/https-everywhere/issues/1329

So I made this project, because I have lost patience a long time ago.

Best Wishes,

On Thu, Feb 11, 2016 at 11:56 AM, P J P <ppandit@...hat.com> wrote:
> +-- On Thu, 11 Feb 2016, David Leo wrote --+
> | If browser tries to access HTTP address,
> | you will have three options:
> | try HTTPS,
> | Google Cache,
> | or copy-and-paste the address.
> |
> | There is no option to "temporarily bypass HTTPS Only".
> | You can always do that in another browser.
> |
> | Project Home Page:
> | https://httpsonly.github.io/
>
> Browsers too are moving there:
>   -> https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/
>
> (just to note)
> --
> Prasad J Pandit / Red Hat Product Security Team
> 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ