Fetching http:// URIs over TLS by default
Rob Sayre <sayrer@gmail.com> Fri, 20 September 2019 21:22 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BD9120077 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Sep 2019 14:22:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.998
X-Spam-Level:
X-Spam-Status: No, score=-2.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 327lri35ZM4Q for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 20 Sep 2019 14:22:11 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B057812080F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 20 Sep 2019 14:22:11 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iBQJQ-0006gA-VM for ietf-http-wg-dist@listhub.w3.org; Fri, 20 Sep 2019 21:19:33 +0000
Resent-Date: Fri, 20 Sep 2019 21:19:32 +0000
Resent-Message-Id: <E1iBQJQ-0006gA-VM@frink.w3.org>
Received: from titan.w3.org ([2603:400a:ffff:804:801e:34:0:4c]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iBQJN-0006fN-J6 for ietf-http-wg@listhub.w3.org; Fri, 20 Sep 2019 21:19:29 +0000
Received: from mail-io1-xd2c.google.com ([2607:f8b0:4864:20::d2c]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iBQJM-0004yh-26 for ietf-http-wg@w3.org; Fri, 20 Sep 2019 21:19:29 +0000
Received: by mail-io1-xd2c.google.com with SMTP id j4so19295737iog.11 for <ietf-http-wg@w3.org>; Fri, 20 Sep 2019 14:19:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=RQNoq1sy7MxhbacnzEjHK4/J7DcGlt/iFnZedrMmxuo=; b=VtH627S9nz5fRuqs6CY1kbHUOKIuM8E/MB3CobP/NfMrO2QixnK1qtcBmJw3ULFawL XDVBYgECk8wzscMKj/zQuX1qWSWZBjJC29eQ7O+rU7mpY3rS0jlv5E+k2vROFdo6yM+J MGEWAmEgqct8Pyiy/wfsA+JVYrUrobRG4XzhGXswqFaKUtluDk+FmLrucsQ36e3/IQXD HUoHLUKSwXn4RObCeuQPt3phCUKecXtyYXM0UHvkGH5d9ZP35qbCY9LRMh/m4ZIzUBgL nZKA+d8vtKrt8zWt48Ld4Gtiuw++3EuLvI2LjVSsw/wkunhqRzHy6Z48T4D/DwTulp0O TDwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=RQNoq1sy7MxhbacnzEjHK4/J7DcGlt/iFnZedrMmxuo=; b=mFdaVOg+SsVjtVvZu1LGgDVjirTwWiLJ9AHHjx08EzW+6LDz6mJmi/VuOln7qwYoDN wH9Ihfj/BU5IaLCp3eqjnBItnt7kgnCcTysR6LE8P2ERiNhVShzs1hTuZzqGvIFhOqRt S8Sie0i9688f+YdLNMhcX6szozaawJIn9hk8rnnC4GVtCOQAS7+oii2TXtBon/l5K5cr lmlXRtT88sBWCSYVZjmcLpnuZockBHKEyTPUSK7UwRU4ejL6fqF+GY2o0GMcIpaqUV/b PbRPmbiiy4iDvcPewY4NZT0d1queY2Q2boSjaIw3xG/0Jec+OfK/6A0nbB25yTaFm5tA BUGw==
X-Gm-Message-State: APjAAAX6SOjkBotFVSC7HWVDi29ym5yMSAsWJbvavk5vhZlPIywlNLVL ux1As2SgBO2bFmubiB+cHs8x/nk0nMx96kJ2tsKXw0XSxsN2aQ==
X-Google-Smtp-Source: APXvYqwxYFSfMVuoTT017yyhzYf+C+9TAEkMM25ZDyAanh0d8CGoEefVhjB/Nki6nJ6WZ9xYVQt65TI7u/FF277vyp0=
X-Received: by 2002:a5e:8902:: with SMTP id k2mr10484522ioj.49.1569014344752; Fri, 20 Sep 2019 14:19:04 -0700 (PDT)
MIME-Version: 1.0
From: Rob Sayre <sayrer@gmail.com>
Date: Fri, 20 Sep 2019 14:18:53 -0700
Message-ID: <CAChr6Sxd8p3tOGBVFvrpnj3cUD23quvQHnwbz0RPoF+=13VhUw@mail.gmail.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000aaa3ea0593029eca"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d2c; envelope-from=sayrer@gmail.com; helo=mail-io1-xd2c.google.com
X-W3C-Hub-Spam-Status: No, score=-2.4
X-W3C-Hub-Spam-Report: AWL=1.668, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1iBQJM-0004yh-26 94efcd96c10401c3099b4a0cd3f34504
X-Original-To: ietf-http-wg@w3.org
Subject: Fetching http:// URIs over TLS by default
Archived-At: <https://www.w3.org/mid/CAChr6Sxd8p3tOGBVFvrpnj3cUD23quvQHnwbz0RPoF+=13VhUw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37025
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi all, I was looking at the behavior of several popular websites in the context of HSTS and DNS hijacking[1]. It seems like these attacks rely on the relatively-benign security UI of clear-text HTTP pages, the fact that browsers will send HTTP traffic in the absence of HSTS information, and the fact that several popular sites still serve redirects to TLS URIs over port 80. That last part is particularly problematic, because a rogue DNS server can point at an address that will serve a malicious 200 response, and rewrite links on the served page. (I found several banks serving redirects from port 80...) I read the "opportunistic encryption" RFC[2], but the proposal in the subject line seems different. I had two ideas: 1) Start marking any domain that is one label + a tld as insecure if served over http. So, "foo.co.jp" would be marked as insecure over http, but " foo.bar.co.jp" would not. Obviously, this could be ratcheted up over time. 2) Allow domains to opt-in to HSTS out-of-band, like in software updates for an OS. This idea seems intriguing, because it would seem to improve security as participants join, unlike a TLS trusted-root store. Of course, other approaches, like DoH/DoT and DNSSEC, would attack this problem from a different angle. Also, I'm not sure if this group is the right place to propose this idea. thanks, Rob [1] https://www.ixiacom.com/company/blog/paypal-netflix-gmail-and-uber-users-among-targets-new-wave-dns-hijacking-attacks [2] https://tools.ietf.org/html/rfc8164
- Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default David Benjamin
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Nick Harper
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Rob Sayre