Open Bug 643900 Opened 14 years ago Updated 2 years ago

Enabling HSTS for a site doesn't force safe renegotiation to be required for the site

Tracking

()

Status:

NEW

People

(Reporter: briansmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Reporter

Description

•

14 years ago

For HSTS sites, we should ignore all user-set options related to safe renegotiation and instead always use the strictest options for them.

Brian Smith (:briansmith, :bsmith, use NEEDINFO?)

Reporter

Comment 1

•

10 years ago

(In reply to Brian Smith (:briansmith, :bsmith, use NEEDINFO?) from comment #0) > For HSTS sites, we should ignore all user-set options related to safe > renegotiation and instead always use the strictest options for them. ...and/or refuse renegotiation requests for HSTS domains when the secure renegotiation extension wasn't negotiated.

Dana Keeler (she/her) (use needinfo) (:keeler for reviews)

Updated

•

9 years ago

Whiteboard: [psm-backlog]

Dana Keeler (she/her) (use needinfo) (:keeler for reviews)

Updated

•

7 years ago

Priority: -- → P5

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

Christoph Kerschbaumer [:ckerschb]

Updated

•

2 years ago

Blocks: hsts

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Enabling HSTS for a site doesn't force safe renegotiation to be required for the site

Categories

(Core :: Security: PSM, defect, P5)

Tracking

()

People

(Reporter: briansmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Updated

Updated

Updated