Re: Fetching http:// URIs over TLS by default
Rob Sayre <sayrer@gmail.com> Sat, 21 September 2019 20:32 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82C5D12010D for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 21 Sep 2019 13:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9YBq_NkTWyy1 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Sat, 21 Sep 2019 13:32:36 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47D7C1200DE for <httpbisa-archive-bis2Juki@lists.ietf.org>; Sat, 21 Sep 2019 13:32:35 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1iBm0m-0007AV-BS for ietf-http-wg-dist@listhub.w3.org; Sat, 21 Sep 2019 20:29:44 +0000
Resent-Date: Sat, 21 Sep 2019 20:29:44 +0000
Resent-Message-Id: <E1iBm0m-0007AV-BS@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iBm0i-00079e-Kt for ietf-http-wg@listhub.w3.org; Sat, 21 Sep 2019 20:29:40 +0000
Received: from mail-io1-xd32.google.com ([2607:f8b0:4864:20::d32]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <sayrer@gmail.com>) id 1iBm0g-0001eu-SO for ietf-http-wg@w3.org; Sat, 21 Sep 2019 20:29:40 +0000
Received: by mail-io1-xd32.google.com with SMTP id j4so24007616iog.11 for <ietf-http-wg@w3.org>; Sat, 21 Sep 2019 13:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bX06NmH9aqh5+5KbDa6tI7EF2lPfUoWvfFJaVT15pvQ=; b=lp8iTc2Z5/471MANnO3AcO8At/11hzdjmwlOrygU6Btj1Ofwh7uL3/lWKd+J8ZTU8l FgpNCJQtvQNK4owf9Aqm4uj5Vuvgwmu/hUX+D8PKRbt4a69n7Kks2mPn+5+sKYhxBumF HJ3QxukuNCvH9gHCKU5bVgNEIoCwlreWJqWkWdOaiWLnJrhog2xORzRplMjcx44Os8RP fs6/+eyE4g1/L2FmLYaJDOpnWQHV+lNecnrEQajSAtPKDQjAgWEonTIpGOC/UlFPNMwy ev8wdgSYEQm1YXvFzin2CDyoRlgeUE9wtD+cj0ntAqXKvBXa+yQwOtrehhR0SA3YGG8I G4lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bX06NmH9aqh5+5KbDa6tI7EF2lPfUoWvfFJaVT15pvQ=; b=OEyV7LblVQwzdDTthSQ8REFb/VNj118bt78rVqJij0rDj1jgTMLoSToBDLBPyvu1vw N1JwizHmDCJ0sio9uwf+DCa/yRMhURY7mkYOlsqwEpyl0moZn5DauV3J8URjROA8EsXa w3EyjKPJ6bvD5JGxfurfwvpu3W35L2/yQI6W/t0N3w8eVqUjeveqlJle2SQyMpXQ9hzG Yfcpc9x2qcS9E4+LmlaLaHgMSZuIcVDvA6+3CtN0xSxFj6N3t4JzH7OEy+IVzDntpyc2 D7TiTNcUw7mMGnMr3v/hfgGE9rEh0JJN+lXTC4yOsVxAdH81LPIGq6il4v4wyXgauwql R8Kg==
X-Gm-Message-State: APjAAAVxw5uwFrq3Ck0hsNM0pqzBhc8O0X0YErMRLo+YQoj0fYFkQSR2 F/3tnO1ktFtY7h2UsPQ0DIm5PrAk8eOV8k2+3gl26gULgJE+dA==
X-Google-Smtp-Source: APXvYqz3Z7zq0GXQlYsFjDE9mQ7kgjTxWr3ZAIs/rZ7Q29jeytKGsMzmSAEGpS+krrr8bkVXtd4U0yyLRsaZ/aOZ1Cc=
X-Received: by 2002:a5e:8f43:: with SMTP id x3mr27614195iop.257.1569097757384; Sat, 21 Sep 2019 13:29:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6SyeTKGc2HDsKjAGwtOVjgDZRrhuxqQTfnZ0m2wsvWMwEg@mail.gmail.com> <2368E30A-5A95-4B0D-9ACC-1E9EF194FF66@neilson.net.nz>
In-Reply-To: <2368E30A-5A95-4B0D-9ACC-1E9EF194FF66@neilson.net.nz>
From: Rob Sayre <sayrer@gmail.com>
Date: Sat, 21 Sep 2019 13:29:06 -0700
Message-ID: <CAChr6SxfOv916Ka7yRCxaYsRnF8vBrDeFZ9jBU1aioyif4U3Rw@mail.gmail.com>
To: Alexander Neilson <alexander@neilson.net.nz>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="0000000000007265130593160ad7"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d32; envelope-from=sayrer@gmail.com; helo=mail-io1-xd32.google.com
X-W3C-Hub-Spam-Status: No, score=-2.5
X-W3C-Hub-Spam-Report: AWL=1.626, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1iBm0g-0001eu-SO 6b8fc7d8e4790af884be141b3adef006
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Fetching http:// URIs over TLS by default
Archived-At: <https://www.w3.org/mid/CAChr6SxfOv916Ka7yRCxaYsRnF8vBrDeFZ9jBU1aioyif4U3Rw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37032
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Fri, Sep 20, 2019 at 10:04 PM Alexander Neilson <alexander@neilson.net.nz> wrote: > Going a little back to your original proposal (as clarified) do I > understand correctly that you are suggesting that a specification be > created stating that (in the first stage) any Domain of <name>.<TLD> served > over HTTP is regarded as the equivalent of a certificate failure and should > come with the full scale “this website may be trying to steal your > information ...” style blocking page requiring a click onto “advanced” mode > and bypassing or white listing? > Off-list, someone pointed out that this is pretty similar to the already-proposed "Encrypt All Sites Eligible (EASE) Mode" https://www.eff.org/deeplinks/2018/12/how-https-everywhere-keeps-protecting-users-increasingly-encrypted-web It seems like some of the bigger sites that aren't on https://hstspreload.org are probably having trouble with its "includeSubDomains" requirement. I'd propose letting any site in the Alexa Top 1000 (or some other traffic measurement) opt in without that requirement. They can then add subdomains where it makes sense. Example: https://hstspreload.org/?domain=mail.google.com. It also seems like hstspreload.org should be part of OS networking stacks, especially on mobile phones. I don't know whether any vendor has done this. thanks, Rob
- Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default David Benjamin
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Nick Harper
- Re: Fetching http:// URIs over TLS by default Rob Sayre
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Alexander Neilson
- Re: Fetching http:// URIs over TLS by default Rob Sayre