oss-sec mailing list archives
Re: HTTPS Only (Open Source, Python)
From: David Leo <httpsonly.github.io () gmail com>
Date: Fri, 12 Feb 2016 09:58:47 -0500
Yes, Mozilla said, "Gradually phasing out access to browser features for non-secure websites", in April 2015. After more than six months, they have done nothing useful. The Chrome team wanted the same stuff: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Again, nothing significant has been achieved yet. And there is HTTPS Everywhere, with SO MANY rules: https://www.eff.org/https-everywhere/atlas/ It's still able to access HTTP by default, but there is "Block all HTTP requests". The problem: nothing happens when browser tries HTTP - there should be warning(it's incorrect behavior) and options(try HTTPS, Google Cache, etc). People complained, months ago: https://github.com/EFForg/https-everywhere/issues/1329 So I made this project, because I have lost patience a long time ago. Best Wishes, On Thu, Feb 11, 2016 at 11:56 AM, P J P <ppandit () redhat com> wrote:
+-- On Thu, 11 Feb 2016, David Leo wrote --+ | If browser tries to access HTTP address, | you will have three options: | try HTTPS, | Google Cache, | or copy-and-paste the address. | | There is no option to "temporarily bypass HTTPS Only". | You can always do that in another browser. | | Project Home Page: | https://httpsonly.github.io/ Browsers too are moving there: -> https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ (just to note) -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
Current thread:
- HTTPS Only (Open Source, Python) David Leo (Feb 11)
- Re: HTTPS Only (Open Source, Python) P J P (Feb 11)
- Re: HTTPS Only (Open Source, Python) David Leo (Feb 12)
- Re: HTTPS Only (Open Source, Python) P J P (Feb 11)