Re: Fetching http:// URIs over TLS by default

Rob Sayre <> Fri, 20 September 2019 21:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7EF5A120905 for <>; Fri, 20 Sep 2019 14:58:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KKTEbspyazn2 for <>; Fri, 20 Sep 2019 14:58:53 -0700 (PDT)
Received: from ( [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0B8E112090B for <>; Fri, 20 Sep 2019 14:58:53 -0700 (PDT)
Received: from lists by with local (Exim 4.89) (envelope-from <>) id 1iBQtU-0002k3-T8 for; Fri, 20 Sep 2019 21:56:48 +0000
Resent-Date: Fri, 20 Sep 2019 21:56:48 +0000
Resent-Message-Id: <>
Received: from ([2603:400a:ffff:804:801e:34:0:4c]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <>) id 1iBQtR-0002jD-NJ for; Fri, 20 Sep 2019 21:56:45 +0000
Received: from ([2607:f8b0:4864:20::d35]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <>) id 1iBQtQ-0005Y9-B8 for; Fri, 20 Sep 2019 21:56:45 +0000
Received: by with SMTP id n197so19506130iod.9 for <>; Fri, 20 Sep 2019 14:56:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z0f0oWyX2iE1YG4erw+fYhI7GChzvRF5dbTLrDoEQMw=; b=huDa9ePkpEBQmRSeI2c0WITa2k4/yEv4bvA8KcTxIlpO7X6Pb76YyKrMJPdU//PX5M tyqBoyBkZ+xAIL8SLKVHnfAgcX9vNtL0+AlPzSd1fMY3SVPuVOUlm/2W2Khuy6ppykwx hxhbIBLpIvsLUV6ZDTc2ndXeltw6GbxUtrBvUAxAIrGolhmFm1/rk5rjcVIdKjzSilbh xTplFqgSUOdSeDTZsqsdp/QiQxrPMyJTVVk01KJORW6GpfzhIc8tD6+M2MHabrMwQtE3 XkG1jDkDDZhHVu09x3CU9fVUxwJMYs4uHutp/kFGHXAZqPHQ2ZWW/khQk3J8700Vfka4 12BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z0f0oWyX2iE1YG4erw+fYhI7GChzvRF5dbTLrDoEQMw=; b=KEjRroKf6oI0R7sO4C6kxILqd1TsuYoIxGztsEKBG2MuYUK7R5guOIuuZnsm2mPsmJ 8EYF+sJzYZbWn+/UxWfvy8wP/fzpVm39vXSZssnBlxxseAw6es+Fm2i5BYxMiAWa9N9g ZY8BqLgzlCI2w9lbVw5SXigE+6XHhrZ2Wq74x2Lu5KLutyMw8uMRySSA6uMXGXhwyjEi Z7FcQsCqY5srk/wC91B1Zc0FwRKRn1BjKhVSKzSU2fYMIHg8WbQs8PopOMIwepLpCtrJ WVECqXlA1qltbiMs+Ix7lK/gbqPmxuAx9uXe0BOJ96evjXwWfs4gCz+bCGfnfP0UPbRf g6dA==
X-Gm-Message-State: APjAAAVFsgeVtNUJujlUkwXLEUySfjqYbVeHZ3DTQkE5ADImj33iomZl rs3IodLdOH1TonejItBtC1TvS+2Gpw+kKvqsC9h3OEIF/4I=
X-Google-Smtp-Source: APXvYqyJvlRVdmFrknyoUIlJz9PR0bqby4IzqPJ07eZ3xl04QM1IbOzmU/iV0t4wFxE1+hvHvcpiOKQ00xJGg8vsJE0=
X-Received: by 2002:a5e:8902:: with SMTP id k2mr10672443ioj.49.1569016583345; Fri, 20 Sep 2019 14:56:23 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Rob Sayre <>
Date: Fri, 20 Sep 2019 14:56:11 -0700
Message-ID: <>
To: David Benjamin <>
Cc: " Group" <>
Content-Type: multipart/alternative; boundary="00000000000018dae80593032448"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d35;;
X-W3C-Hub-Spam-Status: No, score=-2.6
X-W3C-Hub-Spam-Report: AWL=1.460, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1iBQtQ-0005Y9-B8 20e92574e83689a10430845d41601d2a
Subject: Re: Fetching http:// URIs over TLS by default
Archived-At: <>
X-Mailing-List: <> archive/latest/37027
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Fri, Sep 20, 2019 at 2:41 PM David Benjamin <>

> URLs served over http are marked insecure these days, regardless of how
> many labels there are:

That is a little stronger than I thought it was, but nothing close to the
warnings one sees for certificate errors or SafeBrowsing warnings. I just
checked Firefox, Chrome, and Safari. Firefox used a little red. :)

The UI for insecure email in GMail is stronger. (totally-red lock)

> 2) Allow domains to opt-in to HSTS out-of-band, like in software updates
>> for an OS. This idea seems intriguing, because it would seem to improve
>> security as participants join, unlike a TLS trusted-root store.
> The HSTS spec suggests doing this as a the pre-load list and indeed
> browsers ship just that.

They do--I've seen the static list built into Chrome. It seems like the
list should be global, because the lists didn't seem to match on some
important sites. Browsers did record the HSTS data after one visit, but
clearing browsing data seemed to reverse this in some cases.

Also, if we consider apps that do not present an address bar, an
OS-provided list would seem beneficial.