Re: Fetching http:// URIs over TLS by default
Rob Sayre <sayrer@gmail.com> Fri, 20 September 2019 21:58 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EF5A120905 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Sep 2019 14:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKTEbspyazn2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Sep 2019 14:58:53 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B8E112090B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 20 Sep 2019 14:58:53 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iBQtU-0002k3-T8 for ietf-http-wg-dist@listhub.w3.org; Fri, 20 Sep 2019 21:56:48 +0000
Resent-Date: Fri, 20 Sep 2019 21:56:48 +0000
Resent-Message-Id: <E1iBQtU-0002k3-T8@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iBQtR-0002jD-NJ for ietf-http-wg@listhub.w3.org; Fri, 20 Sep 2019 21:56:45 +0000
Received: from mail-io1-xd35.google.com ([2607:f8b0:4864:20::d35]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iBQtQ-0005Y9-B8 for ietf-http-wg@w3.org; Fri, 20 Sep 2019 21:56:45 +0000
Received: by mail-io1-xd35.google.com with SMTP id n197so19506130iod.9 for <ietf-http-wg@w3.org>; Fri, 20 Sep 2019 14:56:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z0f0oWyX2iE1YG4erw+fYhI7GChzvRF5dbTLrDoEQMw=; b=huDa9ePkpEBQmRSeI2c0WITa2k4/yEv4bvA8KcTxIlpO7X6Pb76YyKrMJPdU//PX5M tyqBoyBkZ+xAIL8SLKVHnfAgcX9vNtL0+AlPzSd1fMY3SVPuVOUlm/2W2Khuy6ppykwx hxhbIBLpIvsLUV6ZDTc2ndXeltw6GbxUtrBvUAxAIrGolhmFm1/rk5rjcVIdKjzSilbh xTplFqgSUOdSeDTZsqsdp/QiQxrPMyJTVVk01KJORW6GpfzhIc8tD6+M2MHabrMwQtE3 XkG1jDkDDZhHVu09x3CU9fVUxwJMYs4uHutp/kFGHXAZqPHQ2ZWW/khQk3J8700Vfka4 12BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z0f0oWyX2iE1YG4erw+fYhI7GChzvRF5dbTLrDoEQMw=; b=KEjRroKf6oI0R7sO4C6kxILqd1TsuYoIxGztsEKBG2MuYUK7R5guOIuuZnsm2mPsmJ 8EYF+sJzYZbWn+/UxWfvy8wP/fzpVm39vXSZssnBlxxseAw6es+Fm2i5BYxMiAWa9N9g ZY8BqLgzlCI2w9lbVw5SXigE+6XHhrZ2Wq74x2Lu5KLutyMw8uMRySSA6uMXGXhwyjEi Z7FcQsCqY5srk/wC91B1Zc0FwRKRn1BjKhVSKzSU2fYMIHg8WbQs8PopOMIwepLpCtrJ WVECqXlA1qltbiMs+Ix7lK/gbqPmxuAx9uXe0BOJ96evjXwWfs4gCz+bCGfnfP0UPbRf g6dA==
X-Gm-Message-State: APjAAAVFsgeVtNUJujlUkwXLEUySfjqYbVeHZ3DTQkE5ADImj33iomZl rs3IodLdOH1TonejItBtC1TvS+2Gpw+kKvqsC9h3OEIF/4I=
X-Google-Smtp-Source: APXvYqyJvlRVdmFrknyoUIlJz9PR0bqby4IzqPJ07eZ3xl04QM1IbOzmU/iV0t4wFxE1+hvHvcpiOKQ00xJGg8vsJE0=
X-Received: by 2002:a5e:8902:: with SMTP id k2mr10672443ioj.49.1569016583345; Fri, 20 Sep 2019 14:56:23 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sxd8p3tOGBVFvrpnj3cUD23quvQHnwbz0RPoF+=13VhUw@mail.gmail.com> <CAF8qwaCTzoBofvQLWw=uQkbNEEFpTsz45Hv4k53NpLiTZavVEg@mail.gmail.com>
In-Reply-To: <CAF8qwaCTzoBofvQLWw=uQkbNEEFpTsz45Hv4k53NpLiTZavVEg@mail.gmail.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 20 Sep 2019 14:56:11 -0700
Message-ID: <CAChr6Szi2AJTxY1N94q-Q681Q39=TKRgVNd2QzcMduei6W7QBg@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000018dae80593032448"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d35; envelope-from=sayrer@gmail.com; helo=mail-io1-xd35.google.com
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: AWL=1.460, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iBQtQ-0005Y9-B8 20e92574e83689a10430845d41601d2a
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fetching http:// URIs over TLS by default
Archived-At: <https://www.w3.org/mid/CAChr6Szi2AJTxY1N94q-Q681Q39=TKRgVNd2QzcMduei6W7QBg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37027
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Fri, Sep 20, 2019 at 2:41 PM David Benjamin <davidben@chromium.org> wrote: > > URLs served over http are marked insecure these days, regardless of how > many labels there are: > https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html > > https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/ > > That is a little stronger than I thought it was, but nothing close to the warnings one sees for certificate errors or SafeBrowsing warnings. I just checked Firefox, Chrome, and Safari. Firefox used a little red. :) The UI for insecure email in GMail is stronger. (totally-red lock) > 2) Allow domains to opt-in to HSTS out-of-band, like in software updates >> for an OS. This idea seems intriguing, because it would seem to improve >> security as participants join, unlike a TLS trusted-root store. >> > > The HSTS spec suggests doing this as a the pre-load list and indeed > browsers ship just that. > https://tools.ietf.org/html/rfc6797#section-12.3 > https://hstspreload.org > They do--I've seen the static list built into Chrome. It seems like the list should be global, because the lists didn't seem to match on some important sites. Browsers did record the HSTS data after one visit, but clearing browsing data seemed to reverse this in some cases. Also, if we consider apps that do not present an address bar, an OS-provided list would seem beneficial. thanks, Rob
- Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default David Benjamin
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Nick Harper
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Rob Sayre