Re: Fetching http:// URIs over TLS by default

Rob Sayre <> Sat, 21 September 2019 20:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 82C5D12010D for <>; Sat, 21 Sep 2019 13:32:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9YBq_NkTWyy1 for <>; Sat, 21 Sep 2019 13:32:36 -0700 (PDT)
Received: from ( [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47D7C1200DE for <>; Sat, 21 Sep 2019 13:32:35 -0700 (PDT)
Received: from lists by with local (Exim 4.89) (envelope-from <>) id 1iBm0m-0007AV-BS for; Sat, 21 Sep 2019 20:29:44 +0000
Resent-Date: Sat, 21 Sep 2019 20:29:44 +0000
Resent-Message-Id: <>
Received: from ([2603:400a:ffff:804:801e:34:0:4f]) by with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <>) id 1iBm0i-00079e-Kt for; Sat, 21 Sep 2019 20:29:40 +0000
Received: from ([2607:f8b0:4864:20::d32]) by with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from <>) id 1iBm0g-0001eu-SO for; Sat, 21 Sep 2019 20:29:40 +0000
Received: by with SMTP id j4so24007616iog.11 for <>; Sat, 21 Sep 2019 13:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bX06NmH9aqh5+5KbDa6tI7EF2lPfUoWvfFJaVT15pvQ=; b=lp8iTc2Z5/471MANnO3AcO8At/11hzdjmwlOrygU6Btj1Ofwh7uL3/lWKd+J8ZTU8l FgpNCJQtvQNK4owf9Aqm4uj5Vuvgwmu/hUX+D8PKRbt4a69n7Kks2mPn+5+sKYhxBumF HJ3QxukuNCvH9gHCKU5bVgNEIoCwlreWJqWkWdOaiWLnJrhog2xORzRplMjcx44Os8RP fs6/+eyE4g1/L2FmLYaJDOpnWQHV+lNecnrEQajSAtPKDQjAgWEonTIpGOC/UlFPNMwy ev8wdgSYEQm1YXvFzin2CDyoRlgeUE9wtD+cj0ntAqXKvBXa+yQwOtrehhR0SA3YGG8I G4lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bX06NmH9aqh5+5KbDa6tI7EF2lPfUoWvfFJaVT15pvQ=; b=OEyV7LblVQwzdDTthSQ8REFb/VNj118bt78rVqJij0rDj1jgTMLoSToBDLBPyvu1vw N1JwizHmDCJ0sio9uwf+DCa/yRMhURY7mkYOlsqwEpyl0moZn5DauV3J8URjROA8EsXa w3EyjKPJ6bvD5JGxfurfwvpu3W35L2/yQI6W/t0N3w8eVqUjeveqlJle2SQyMpXQ9hzG Yfcpc9x2qcS9E4+LmlaLaHgMSZuIcVDvA6+3CtN0xSxFj6N3t4JzH7OEy+IVzDntpyc2 D7TiTNcUw7mMGnMr3v/hfgGE9rEh0JJN+lXTC4yOsVxAdH81LPIGq6il4v4wyXgauwql R8Kg==
X-Gm-Message-State: APjAAAVxw5uwFrq3Ck0hsNM0pqzBhc8O0X0YErMRLo+YQoj0fYFkQSR2 F/3tnO1ktFtY7h2UsPQ0DIm5PrAk8eOV8k2+3gl26gULgJE+dA==
X-Google-Smtp-Source: APXvYqz3Z7zq0GXQlYsFjDE9mQ7kgjTxWr3ZAIs/rZ7Q29jeytKGsMzmSAEGpS+krrr8bkVXtd4U0yyLRsaZ/aOZ1Cc=
X-Received: by 2002:a5e:8f43:: with SMTP id x3mr27614195iop.257.1569097757384; Sat, 21 Sep 2019 13:29:17 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Rob Sayre <>
Date: Sat, 21 Sep 2019 13:29:06 -0700
Message-ID: <>
To: Alexander Neilson <>
Cc: " Group" <>
Content-Type: multipart/alternative; boundary="0000000000007265130593160ad7"
Received-SPF: pass client-ip=2607:f8b0:4864:20::d32;;
X-W3C-Hub-Spam-Status: No, score=-2.5
X-W3C-Hub-Spam-Report: AWL=1.626, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1iBm0g-0001eu-SO 6b8fc7d8e4790af884be141b3adef006
Subject: Re: Fetching http:// URIs over TLS by default
Archived-At: <>
X-Mailing-List: <> archive/latest/37032
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On Fri, Sep 20, 2019 at 10:04 PM Alexander Neilson <>

> Going a little back to your original proposal (as clarified) do I
> understand correctly that you are suggesting that a specification be
> created stating that (in the first stage) any Domain of <name>.<TLD> served
> over HTTP is regarded as the equivalent of a certificate failure and should
> come with the full scale “this website may be trying to steal your
> information ...” style blocking page requiring a click onto “advanced” mode
> and bypassing or white listing?

Off-list, someone pointed out that this is pretty similar to the
already-proposed "Encrypt All Sites Eligible (EASE) Mode"

It seems like some of the bigger sites that aren't on are probably having trouble with its
"includeSubDomains" requirement. I'd propose letting any site in the Alexa
Top 1000 (or some other traffic measurement) opt in without that
requirement. They can then add subdomains where it makes sense. Example:

It also seems like should be part of OS networking stacks,
especially on mobile phones. I don't know whether any vendor has done this.