Date: Fri, 12 Feb 2016 09:58:47 -0500 From: David Leo <httpsonly.github.io@...il.com> To: oss-security@...ts.openwall.com Cc: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: Re: HTTPS Only (Open Source, Python) Yes, Mozilla said, "Gradually phasing out access to browser features for non-secure websites", in April 2015. After more than six months, they have done nothing useful. The Chrome team wanted the same stuff: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Again, nothing significant has been achieved yet. And there is HTTPS Everywhere, with SO MANY rules: https://www.eff.org/https-everywhere/atlas/ It's still able to access HTTP by default, but there is "Block all HTTP requests". The problem: nothing happens when browser tries HTTP - there should be warning(it's incorrect behavior) and options(try HTTPS, Google Cache, etc). People complained, months ago: https://github.com/EFForg/https-everywhere/issues/1329 So I made this project, because I have lost patience a long time ago. Best Wishes, On Thu, Feb 11, 2016 at 11:56 AM, P J P <ppandit@...hat.com> wrote: > +-- On Thu, 11 Feb 2016, David Leo wrote --+ > | If browser tries to access HTTP address, > | you will have three options: > | try HTTPS, > | Google Cache, > | or copy-and-paste the address. > | > | There is no option to "temporarily bypass HTTPS Only". > | You can always do that in another browser. > | > | Project Home Page: > | https://httpsonly.github.io/ > > Browsers too are moving there: > -> https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ > > (just to note) > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ