A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.
To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).
TLS: Difference between revisions
Jump to navigation
Jump to search
(→TLS: Reduced problems with proxy traversal) |
(→HSTS) |
||
| (6 intermediate revisions by 2 users not shown) | |||
| Line 4: | Line 4: | ||
* Protection of end user credentials | * Protection of end user credentials | ||
* Increased confidentiality (not perfect; domain is leaked, traffic analysis can still tell a great deal) | * Increased confidentiality (not perfect; domain is leaked, traffic analysis can still tell a great deal) | ||
* Service workers | * Access to new platform features | ||
* | ** Service workers | ||
* https://www.tbray.org/ongoing/When/201x/2012/12/02/HTTPS | ** Push API | ||
* http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html | ** Subresource Integrity | ||
* https://indiewebcamp.com/HTTPS#Why | ** [https://html.spec.whatwg.org/multipage/forms.html#dom-form-requestautocomplete requestAutocomplete()] | ||
* https://konklone.com/post/switch-to-https-now-for-free | ** WebRTC (maybe) | ||
** Web Crypto (only Chrome requires TLS for now) | |||
** Hopefully getUserMedia() and geolocation down the line (mistakenly allowed, will probably have non-TLS deprecation period before disabling there) | |||
* [http://www.infoq.com/articles/Web-Sockets-Proxy-Servers Reduced problems with proxy traversal] | |||
* [https://www.tbray.org/ongoing/When/201x/2012/12/02/HTTPS Tim Bray on why privacy should be on by default] | |||
* [http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html HTTPS is a ranking signal for Google] | |||
* [https://indiewebcamp.com/HTTPS#Why Indie Web Camp on HTTPS] | |||
* [https://konklone.com/post/switch-to-https-now-for-free How to switch to HTTPS for free] | |||
* [https://wiki.mozilla.org/Security/Server_Side_TLS Mozilla recommended server configurations] | |||
== HSTS == | == HSTS == | ||
* https://annevankesteren.nl/2014/09/tls-hsts TL;DR without HSTS your TLS deployment is not worth much | * [https://annevankesteren.nl/2014/09/tls-hsts TLS: deploy HSTS] TL;DR without HSTS your TLS deployment is not worth much | ||
* https://www.eff.org/deeplinks/2014/02/websites-hsts | |||
Latest revision as of 08:21, 15 October 2014
TLS
- Integrity of content (no tampering possible)
- Protection of end user credentials
- Increased confidentiality (not perfect; domain is leaked, traffic analysis can still tell a great deal)
- Access to new platform features
- Service workers
- Push API
- Subresource Integrity
- requestAutocomplete()
- WebRTC (maybe)
- Web Crypto (only Chrome requires TLS for now)
- Hopefully getUserMedia() and geolocation down the line (mistakenly allowed, will probably have non-TLS deprecation period before disabling there)
- Reduced problems with proxy traversal
- Tim Bray on why privacy should be on by default
- HTTPS is a ranking signal for Google
- Indie Web Camp on HTTPS
- How to switch to HTTPS for free
- Mozilla recommended server configurations
HSTS
- TLS: deploy HSTS TL;DR without HSTS your TLS deployment is not worth much
- https://www.eff.org/deeplinks/2014/02/websites-hsts