Re: Proposed Statement on "HTTPS everywhere for the IETF"

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 02 June 2015 11:48 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5DCE1B2D42 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 04:48:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yw_6SMh4h0z for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 04:47:59 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A2E11B2D38 for <ietf@ietf.org>; Tue, 2 Jun 2015 04:47:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0BC6BBEE2; Tue, 2 Jun 2015 12:47:58 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfG1hjKa8Q4b; Tue, 2 Jun 2015 12:47:56 +0100 (IST)
Received: from [10.0.65.147] (unknown [31.216.236.202]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 527BEBEDF; Tue, 2 Jun 2015 12:47:56 +0100 (IST)
Message-ID: <556D97EB.8010401@cs.tcd.ie>
Date: Tue, 02 Jun 2015 12:47:55 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Xiaoyin Liu <xiaoyin.l@outlook.com>, "ietf@ietf.org" <ietf@ietf.org>
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
References: <BAY180-W5419C8EA8F03D7995A568BFFB50@phx.gbl>
In-Reply-To: <BAY180-W5419C8EA8F03D7995A568BFFB50@phx.gbl>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/FCTn3JSOQOpjvX7DCSHoI_QVgUs>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 11:48:01 -0000

Thanks for the good set of proposed actions. I've added those
to a list I'm keeping.

They also all look good, though I think we'll need to figure out
the right thing(s) to do to combine HSTS with the current draft's
concept of plaintext access remaining available. (We do have >1
(sub)domain though, so that may help.)

S.

On 02/06/15 10:37, Xiaoyin Liu wrote:
> Hi,
>  
> I support this IESG statement. Here are my suggestions on how to implement this statement:
>  
> 1) Fix all the mixed content issues on the IETF websites, such as https://tools.ietf.org/wg/dprive/draft-ietf-dprive-problem-statement/, which contains JavaScript loaded from http://trac.tools.ietf.org/tools/trac/htdocs/js/jquery.js.
> 2) Change all hardcoded http links to protocol relative or https, such as the "List Archive" link on [1].
> 3) Add <link rel="canonical" href="https://..."> to every page, so that search engines will prefer to index HTTPS links.[2][3]
> 4) Enable HTTP Strict Transport Security for every IETF subdomains, and submit ietf.org to the HSTS preload list.[4] I know that the IESG still wants cleartext content to be available. But I think HSTS is very important. There are many HTTP links to IETF on the Internet, such as those on our mailing lists, that are unlikely to update regardless of this statement. HSTS can help in this case. People using non-browser clients, IE, and old phone browsers are not affected by HSTS.
> 5) Please ask the RFC Editor Team to update their website (https://www.rfc-editor.org/) according to this IESG statement as well. Currently there is no way to submit or view RFC errata over HTTPS. https://www.rfc-editor.org/errata.php redirects to http://www.rfc-editor.org/errata.php.
>  
> Thanks!
> Xiaoyin Liu
>  
> [1] https://datatracker.ietf.org/wg/appsawg/documents/
> [2] https://tools.ietf.org/html/rfc6596 
> [3] https://support.google.com/webmasters/answer/139066?rd=1#https
> [4] https://hstspreload.appspot.com/
>  		 	   		  
>