[HTTPS-Everywhere] Forward Secrecy Indicator
Jacob Hoffman-Andrews
jsha at eff.org
Mon Jan 5 11:59:50 PST 2015
Hi Libertas,
Thanks for working on this. It's a good start. But it needs to take into
account subresources. To get "forward secret" badging, the page should
have no mixed content, and all subresources (including those inside
iframes) should also be loaded with forward secret cipher suites.
There's also an issue where session ticket keys can break forward
secrecy, but we probably don't need to / can't detect that in a browser
extension:
https://www.imperialviolet.org/2013/06/27/botchingpfs.html
On 01/04/2015 07:54 PM, Libertas wrote:
> I'm not entirely sure what the diff at lines 13-14 in the patch means,
> so be sure that it doesn't insidiously change anything.
Those are normal indicators of which files are being patched.
More information about the HTTPS-Everywhere
mailing list