Re: Proposed Statement on "HTTPS everywhere for the IETF"

Mark Nottingham <mnot@mnot.net> Tue, 02 June 2015 10:27 UTC

Return-Path: <mnot@mnot.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D581B1A9148 for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 03:27:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YAGTBDoFgR-K for <ietf@ietfa.amsl.com>; Tue, 2 Jun 2015 03:27:56 -0700 (PDT)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E79BE1A9147 for <ietf@ietf.org>; Tue, 2 Jun 2015 03:27:55 -0700 (PDT)
Received: from [192.168.0.3] (unknown [120.149.147.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id 54D0E22E260 for <ietf@ietf.org>; Tue, 2 Jun 2015 06:27:53 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: Proposed Statement on "HTTPS everywhere for the IETF"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20150601164359.29999.35343.idtracker@ietfa.amsl.com>
Date: Tue, 2 Jun 2015 20:27:51 +1000
Content-Transfer-Encoding: quoted-printable
Message-Id: <3383C786-8549-4356-99A4-75786B3CCD83@mnot.net>
References: <20150601164359.29999.35343.idtracker@ietfa.amsl.com>
To: ietf@ietf.org
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/dmoHjCkWgDY9mdw813u08-hePLc>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2015 10:27:58 -0000

I support this policy.

I'd suggest that if it's felt that cleartext content needs to be available, it NOT be at <http://www.ietf.org/> (and similar); it should be on a different hostname; e.g., <http://www.cleartext.ietf.org/>. The http version of the URL should 301 to the corresponding https resource, and HSTS should be in use. 

Also, part of the reason for requiring HTTPS is that the Web platform is becoming more powerful, and so it's more vulnerable to a wide variety of attacks on the capabilities of the browser (e.g., camera, geolocation, local storage, etc.) — not just information leakage. See: <https://w3ctag.github.io/web-https/>.

Regards,


--
Mark Nottingham   https://www.mnot.net/