Re: Fetching http:// URIs over TLS by default
Nick Harper <nharper@google.com> Fri, 20 September 2019 22:38 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1973120808 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Sep 2019 15:38:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.499
X-Spam-Level:
X-Spam-Status: No, score=-10.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dAPT6lrFsfRp for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Sep 2019 15:38:41 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B493112023E for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 20 Sep 2019 15:38:41 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iBRVg-0003xf-Qn for ietf-http-wg-dist@listhub.w3.org; Fri, 20 Sep 2019 22:36:16 +0000
Resent-Date: Fri, 20 Sep 2019 22:36:16 +0000
Resent-Message-Id: <E1iBRVg-0003xf-Qn@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <nharper@google.com>) id 1iBRVd-0003wx-Qq for ietf-http-wg@listhub.w3.org; Fri, 20 Sep 2019 22:36:13 +0000
Received: from mail-ot1-x334.google.com ([2607:f8b0:4864:20::334]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <nharper@google.com>) id 1iBRVc-0001Z7-K1 for ietf-http-wg@w3.org; Fri, 20 Sep 2019 22:36:13 +0000
Received: by mail-ot1-x334.google.com with SMTP id 67so7535313oto.3 for <ietf-http-wg@w3.org>; Fri, 20 Sep 2019 15:35:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=s2VWxBWZt0bTKA7F7naY6mIMBC7wS/1nWh2CQHyc52M=; b=gJLlcYjzP6c6r7t4G8Y9HcQl4HyIwu22bQJUmURtW5j5Ilcm6pnXF6BmhkhVcVwTx0 dli0axqcE4xpofrNgM1p9o11wIoiEdN5yds+GGshRfiKxXWpGh2AieDdLbv7uYOVnJ9a HzWr62Sg5N4MUHzx5ybpN1cDgwzH4b+ANusvnPjKNZsRPpkEAb3zRNNGE9HYHUI5lUc5 bW8voSEcfTAjfS4Md/xOL5rY8CpUIc6lEKbSndBxJEBKBeBet0sFDZpULe2LY7OmH++S unBWqgtF1Pvup704nGlkj7lpVftrFKHejc4KbqqGVyhKMkzh+NT+ugzzeQePKA0iidq+ NNTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=s2VWxBWZt0bTKA7F7naY6mIMBC7wS/1nWh2CQHyc52M=; b=YhSXWxkLPrqcXe6Jue7oMiQ4KaulGv7oYJ/BD04Cto6i/3k2e3XQgt6uIEJWIUY/a5 xax0xQgxMS5Xx7BzyOZPQiq8q24HUp0A1uPqtWrdvd2ergDk1xcxM7fDtLsa/WiZhLnN xxa5fJg7PsKRQR0M4uhQSCzBsAwkLqUgqZhxOe5FtJBUTqJqqgXP9qf6Ugh6QmABvxUc ZkRhOzaMSTRyJKghLqrilCVO+4iouOyc8i3Ng+g6riU49ArQnGAfQJuHZxEsBkOjl7rH 8luUFrsUozoYFKNkFIV0AIMbSIvMCoVLTUobmTmDmR77nGjEcqcltoPUAT9iWoaC2vwg JezQ==
X-Gm-Message-State: APjAAAVC8SXQEKJAM2iOX4pvx2euGNTbcyFEgWOcaQgL8poC2WGj0iVT 90W9Wr5A2pDs8lPnDcNxeYVNytX7mOtz0qFq24e6aA==
X-Google-Smtp-Source: APXvYqwFYxMdlSng6/PFPxtuWeXVssyAZ9KoS5zMW2c0ZXkY4z1tNFCjor33fOHhbTzL/3yjkC65dNVRZWO9DTggGEQ=
X-Received: by 2002:a9d:1428:: with SMTP id h37mr13609821oth.14.1569018950483; Fri, 20 Sep 2019 15:35:50 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sxd8p3tOGBVFvrpnj3cUD23quvQHnwbz0RPoF+=13VhUw@mail.gmail.com> <CAF8qwaCTzoBofvQLWw=uQkbNEEFpTsz45Hv4k53NpLiTZavVEg@mail.gmail.com> <CAChr6Szi2AJTxY1N94q-Q681Q39=TKRgVNd2QzcMduei6W7QBg@mail.gmail.com>
In-Reply-To: <CAChr6Szi2AJTxY1N94q-Q681Q39=TKRgVNd2QzcMduei6W7QBg@mail.gmail.com>
From: Nick Harper <nharper@google.com>
Date: Fri, 20 Sep 2019 15:35:39 -0700
Message-ID: <CACdeXiJEOOaE0hptWO91Co6oO_JyWHLv60EOUe5GAJEfFbMsiA@mail.gmail.com>
To: Rob Sayre <sayrer@gmail.com>
Cc: David Benjamin <davidben@chromium.org>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000030f151059303b1dd"
Received-SPF: pass client-ip=2607:f8b0:4864:20::334; envelope-from=nharper@google.com; helo=mail-ot1-x334.google.com
X-W3C-Hub-Spam-Status: No, score=-19.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iBRVc-0001Z7-K1 e78229f0b000c2b5b83f30bf28283689
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fetching http:// URIs over TLS by default
Archived-At: <https://www.w3.org/mid/CACdeXiJEOOaE0hptWO91Co6oO_JyWHLv60EOUe5GAJEfFbMsiA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37028
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
> > > 2) Allow domains to opt-in to HSTS out-of-band, like in software updates >>> for an OS. This idea seems intriguing, because it would seem to improve >>> security as participants join, unlike a TLS trusted-root store. >>> >> >> The HSTS spec suggests doing this as a the pre-load list and indeed >> browsers ship just that. >> https://tools.ietf.org/html/rfc6797#section-12.3 >> https://hstspreload.org >> > > They do--I've seen the static list built into Chrome. It seems like the > list should be global, because the lists didn't seem to match on some > important sites. Browsers did record the HSTS data after one visit, but > clearing browsing data seemed to reverse this in some cases. > As far as I know, every browser that ships an HSTS preload list bases it off of the one maintained at hstspreload.org. Different browsers have different criteria for what exactly to include and may revalidate that a domain meets the requirements for inclusion (or meets additional requirements than the Chromium requirements). The update cycle for different browsers also impacts which version of the list is in use, but ultimately I'd expect all browsers to have approximately the same list. >
- Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default David Benjamin
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Nick Harper
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Rob Sayre