[HTTPS-Everywhere] HTTPS Everywhere 0.3.0.development.1
Colonel Graff
graffatcolmingov at gmail.com
Sat Nov 13 14:11:00 PST 2010
Also, I can't say I trust github's ssl given their latest "SSL Prevention
Phase" blog post:
https://github.com/blog/743-sidejack-prevention-phase-3-ssl-proxied-assets
It's not actually ssl, as they put it, "The /src/ attribute is rewritten to
proxy through our normal asset servers so it **appears** to come from a
secure source." All this does is fix the warning.
On Sat, Nov 13, 2010 at 5:05 PM, Robert Ransom <rransom.8774 at gmail.com>wrote:
> On Sat, 13 Nov 2010 13:51:25 -0800
> Peter Eckersley <pde at eff.org> wrote:
>
> > It's worth noting that in a use case like this, HTTPS Everywhere is
> equivalent
> > to HSTS:
> >
> > https://secure.wikimedia.org/wikipedia/en/wiki/Strict_Transport_Security
>
> No. sslstrip can easily be extended to remove
> Strict-Transport-Security headers from responses that it forwards to the
> client (if it does not do so already).
>
>
> Robert Ransom
>
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101113/58cd33f8/attachment.html>
More information about the HTTPS-everywhere
mailing list