[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Repo-criteria-discuss] Defining C6 (HTTPS) more precisely
|
From: |
Josh Triplett |
|
Subject: |
[Repo-criteria-discuss] Defining C6 (HTTPS) more precisely |
|
Date: |
Thu, 28 Apr 2016 09:00:28 -0700 |
|
User-agent: |
Mutt/1.5.23 (2014-03-12) |
[Please CC me on responses.]
Quoting criteria C6:
> Support HTTPS properly and securely, including the site's certificates. (C6)
"properly and securely" seems rather vague. I think we should spell out
exactly what we expect. Suggested wording:
Support HTTPS properly and securely. The site must use a certificate
recognized as secure by multiple major Free Software web browsers. Pages
on the site must not reference any resources via insecure HTTP, whether
resources provided by the site itself or by third parties. Any insecure
HTTP request should either fail or redirect to the corresponding
resource via HTTPS. If the site uses cookies, all cookies must be marked
as "secure". (C6)
Does this seem reasonable?
Optionally, the "Extra Credit" level could mention additional HTTPS best
practices, including the use of ephemeral keys, HSTS, the HSTS preload
list, and public key pinning. Or perhaps just incorporate the OWASP TLS
best-practices document by reference.
- Josh Triplett
- [Repo-criteria-discuss] Defining C6 (HTTPS) more precisely,
Josh Triplett <=