I can’t do a detailed post right now, pointing to announcement message and the spec itself will have to do. This is what I’ve been working on since joining PayPal…

fyi: Strict Transport Security specification
http://lists.w3.org/Archives/Public/public-webapps/2009JulSep/1148.html

draft-hodges-strict-transport-sec-05.plain.html
http://lists.w3.org/Archives/Public/www-archive/2009Sep/0051.html

This specification embodies and refines the approach proposed in..

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks
https://crypto.stanford.edu/forcehttps/forcehttps.pdf

=JeffH sez check it out!

Ok, my apologies for latency, this is somewhat old news, but I haven’t as yet “announced” it: I landed at PayPal, in the Information Risk Management organization under Michael Barrett (“InfoSec Team” for short), back in March.

I’m very excited to be working at one of the premier web-based organizations and also directly in the security end of things. I now get to be involved in the adoption and deployment of the various online identity and security technologies I’ve been contributing to for many years, as well as contribute to carrying them forward, and also learn some new things.

The latter has been a fair bit of work and steep learning curve as it has involved “web (in)security”, which is a vast swamp involving XSS, CSRF, response-splitting, clickjacking, etc. (hence my crawling into a cave the last several months). And not least, I’ve been very much enjoying meeting and working with key folks involved in web security and browser implementation.

And so with the public announcement of the first web security specification that I’ve contributed to (see next post), it seemed I ought to really pop this frame to the top of the stack and get it out there 8^).