smarter-encryption icon indicating copy to clipboard operation
smarter-encryption copied to clipboard
verified publisher icon duckduckgo

Downgrade policy

Open J0WI opened this issue 4 years ago • 2 comments

Previous lists like preloaded HSTS or HTTPS Everywhere rulesets have some downgrade protection that prevents anyone from silently deleting a host from the list. E.g. if the encryption of a site is broke due an expired certificate or something you may want to give the admins some time to fix it rather than downgrading to an unencrypted connection. What policy do you have to remove a host from the Smarter Encryption list?

See e.g. https://github.com/EFForg/https-everywhere/blob/master/CONTRIBUTING.md#removal-of-rules

J0WI avatar Jul 06 '21 17:07 J0WI

Sites that are in the list are periodically re-checked and have to pass the same criteria as when first added. SSL certs that are expiring/expired are checked separately.

zachthompson avatar Jul 26 '21 17:07 zachthompson

This seems like the policy is vulnerable to attacks like SSL Stripping.

J0WI avatar Jul 26 '21 18:07 J0WI