permission.site icon indicating copy to clipboard operation
permission.site copied to clipboard

Published 20 hours ago verified publisher icon chromium

Drop support for weak cipher suites for TLS 1.2 on permission.site

Open Kenneth-Barber opened this issue 3 years ago • 2 comments

Even though permission.site gives you the option to connect using HTTP instead of HTTPS, I still feel that it is important for HTTPS to be implemented securely. Please drop support for weak cipher suites for TLS 1.2. See the link below for more details: https://www.ssllabs.com/ssltest/analyze.html?d=permission.site

Kenneth-Barber avatar Feb 01 '22 17:02 Kenneth-Barber

permission.site is intended to be used across a wide variety of browsers.

Given that serious security concerns like downgrade attacks are well mitigated in browsers, I'd argue that compatibility with more cipher suites is more useful than the alternative.

In any case, this project uses GitHub Pages for hosting, and that does not allow this level of configuration. (Alternative hosting would raise barriers to maintenance and contribution.)

lgarron avatar Feb 05 '22 22:02 lgarron

I would argue that browsers have good support for cipher suites, so security is more important.

Where can I leave this type of feedback for GitHub Pages?

Kenneth-Barber avatar Feb 06 '22 22:02 Kenneth-Barber