Open J0WI opened 3 years ago
Sites that are in the list are periodically re-checked and have to pass the same criteria as when first added. SSL certs that are expiring/expired are checked separately.
This seems like the policy is vulnerable to attacks like SSL Stripping.
Previous lists like preloaded HSTS or HTTPS Everywhere rulesets have some downgrade protection that prevents anyone from silently deleting a host from the list. E.g. if the encryption of a site is broke due an expired certificate or something you may want to give the admins some time to fix it rather than downgrading to an unencrypted connection. What policy do you have to remove a host from the Smarter Encryption list?
See e.g. https://github.com/EFForg/https-everywhere/blob/master/CONTRIBUTING.md#removal-of-rules