Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 5 Aug 2014 15:29:10 +0400
Subject: Re: CVE Request: Enforce use of HTTPS for MathJax in IPython

On 03-Aug-2014 12:19:49 -0400, Donald Stufft wrote:

 >> Simple question: who do you trust more - your ISP or site owner?
 >> Or should I ask whether you trush either of them?
 > This is a nonsensical point too. I have to trust the site owners
 > to some degree. To what degree broadly depends on what the site
 > itself does however at the very least they'll be able to see
 > what account I'm attempting to use.

Or unable to see that unless _you_ deside to log in.

Together with disabling cookies by default and wiping them on
a regular basis, that may be wise (depending of the sites you
visit, of course).

 > With enforced HTTPS and HSTS I don't have to trust my ISP.

You should either trust them or avoid signing the contract :-)

However, if you suspect them in something unpleasant, you may
enforce HTTPS on _your_ side, using it everywhere (with sites
that support it).

Also, self-signed certificates (or own CA) is safer for your
users than any third-party: when a server certificate changes
without previous notice, user may be absolutely sure something
went wrong.

 >> When a site allows anonymous access, that may be performed
 >> via HTTP. Authenticated (over HTTPS) users may (and normally
 >> should) work via HTTPS, but forcing all users to use HTTPS
 >> is "a VERY bad idea" // (q) Kurt Seifried, 2014-08-03
 > What is the downside to forcing HTTPS.

Is this a question?

Well, now I have a non-trivial answer to it: I've faced the error
"ssl_error_no_cypher_overlap" several times when trying to access
such HTTPS-only sites, and, instead of getting there "insecurely",
I was unable to get there at all.

Yes, I use modern OpenSSL version built without support for weak

Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.