Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Downgrade policy #8

Open
J0WI opened this issue Jul 6, 2021 · 2 comments
Open

Downgrade policy #8

J0WI opened this issue Jul 6, 2021 · 2 comments

Comments

@J0WI
Copy link

J0WI commented Jul 6, 2021
edited
Loading

Previous lists like preloaded HSTS or HTTPS Everywhere rulesets have some downgrade protection that prevents anyone from silently deleting a host from the list. E.g. if the encryption of a site is broke due an expired certificate or something you may want to give the admins some time to fix it rather than downgrading to an unencrypted connection.
What policy do you have to remove a host from the Smarter Encryption list?

See e.g. https://github.com/EFForg/https-everywhere/blob/master/CONTRIBUTING.md#removal-of-rules
@zachthompson
Copy link
Contributor

Sites that are in the list are periodically re-checked and have to pass the same criteria as when first added. SSL certs that are expiring/expired are checked separately.

@J0WI
Copy link
Author

J0WI commented Jul 26, 2021

This seems like the policy is vulnerable to attacks like SSL Stripping.

Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zachthompson @J0WI