According to the initial post of https://bugzilla.mozilla.org/show_bug.cgi?id=689608 the HSTS implementation of NoScript (and Chrome) differ from Firefox' native implementation in the regard that it respects HSTS for sites with self-signed certificates and a Firefox dev explains the rationale behind doing it differently.
Therefore
HSTS differences
HSTS differences
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0
-
Giorgio Maone
- Site Admin
- Posts: 9527
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: HSTS differences
NoScript considers a self-signed certificate which user already choose to import (trust) like any other one (in fact, it doesn't cause any "error" message in Firefox either).
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0) Gecko/20100101 Firefox/7.0
Re: HSTS differences
what about the draft https://tools.ietf.org/html/draft-ietf- ... ort-sec-02 specifying the exact behavior in case of self-certificate that differ from the "user accepting it through a UI" and so from the noscript implementation?
I also agree that if a user accept a certificate he must know what he is doing but in case of a malicious site that present a crafted cert, it is possible that the legit site should be Dossed, doesn't it?
I also agree that if a user accept a certificate he must know what he is doing but in case of a malicious site that present a crafted cert, it is possible that the legit site should be Dossed, doesn't it?
Mozilla/5.0 (X11; Linux i686; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Iceweasel/6.0.2