@sleevi_ @alexstamos @BRIAN_____ @_mwc Chrome could have a soft failure mode for weak https where the connections aren't marked as secure.
-
-
Replying to @CopperheadOS
@sleevi_@alexstamos@BRIAN_____@_mwc And it can be disabled when HSTS is enabled. So it won't hurt more than the fact that http can work.1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
@sleevi_@alexstamos@BRIAN_____@_mwc It would also be a nice way of coping with CA misbehavior that's deemed as not warranting removal.1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
@sleevi_@alexstamos@BRIAN_____@_mwc Instead, just stop marking those connections as secure and break the HSTS subset.1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
@sleevi_@alexstamos@BRIAN_____@_mwc Anyone using HSTS should be capable of moving to a new certificate promptly, so it's not a big deal.1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
@sleevi_@alexstamos@BRIAN_____@_mwc Chrome is essentially already doing this to an extent. It could be taken much further though.1 reply 0 retweets 0 likes -
Replying to @CopperheadOS
@CopperheadSec@sleevi_@alexstamos@_mwc Firefox is already doing better than that as of today. See https://www.fxsitecompat.com/en-US/docs/2015/sha-1-based-certificates-with-validity-period-from-2016-will-not-be-validated/ ….1 reply 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____@CopperheadSec Chrome is doing the same. That said, Chrome is generally opposed to soft-UI as its a feel-good anti-pattern3 replies 0 retweets 2 likes -
Replying to @sleevi_
@sleevi_@CopperheadSec Re: "the same." Are you sure? It seems like Firefox is doing the right thing & Chrome is doing something useless.1 reply 0 retweets 0 likes -
Replying to @BRIAN_____
@BRIAN_____ Depends on useless. Discourages SHA-1 EE, doesn't prevent SHA-1 intermediates. FF looks like it only rejects new ints?2 replies 0 retweets 0 likes
@sleevi_ https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/tests/unit/test_cert_sha1.js#44 …
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.