[websec] fyi: HTTPS/HSTS support on www.w3.org servers
"Hodges, Jeff" <jeff.hodges@paypal.com> Wed, 13 January 2016 23:31 UTC
Return-Path: <jeff.hodges@paypal.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E7EF1A88BE; Wed, 13 Jan 2016 15:31:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.201
X-Spam-Level:
X-Spam-Status: No, score=-18.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZMLVr3rWLWdy; Wed, 13 Jan 2016 15:31:43 -0800 (PST)
Received: from den-ipout-03-data1.paypalcorp.com (den-ipout-03-data1.paypalcorp.com [173.224.160.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 748841A8868; Wed, 13 Jan 2016 15:31:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal.com; i=@paypal.com; q=dns/txt; s=pp-dkim1; t=1452727903; x=1484263903; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=lQgxnH4Z00wtABjuOzgskC7IjeoS1/iJhcuLfcUEpTs=; b=qkVWQX85NzKc1k0528AEnunARwZIhWttbYIrNi+frphj+OFoMHhcKMnp 0FeJMwlu8KS08HFlf1FTeiEcB4A3fhq9DAH90c7GJIRPEbXvwoxDKvIi2 eAD7vVR3R7gv3AQYFF7scANEkxdTurcXGvg9XObqKrsmCRaeNz10wycU+ BJg6WUP2m+4hUZ0HrJsN2HNEJOrl2/bGV80JA1UX/Yfc75D/OTRckrndX cjCGrqWKZqET18EmJIqi7yaFCVatWTA7zJ1CXeyU4xSetiwjmS43nW5xQ MOnEC6ib8Vvv6M04N6kqe18tBUmIgfsAYEe9PrSQ0M2x6j+ezMDpdj+df A==;
X-IronPort-AV: E=Sophos;i="5.22,291,1449558000"; d="scan'208";a="8722043"
Received: from unknown (HELO den-ipcld-02-data1.paypalcorp.com) ([10.184.246.164]) by den-ipout-03-data1.paypalcorp.com with ESMTP; 13 Jan 2016 16:31:41 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.22,291,1449558000"; d="scan'208";a="4481286"
X-CloudService: Office365
Received: from mail-bl2lp0212.outbound.protection.outlook.com (HELO na01-bl2-obe.outbound.protection.outlook.com) ([207.46.163.212]) by den-ipcld-02-data1.paypalcorp.com with ESMTP/TLS/AES256-SHA256; 13 Jan 2016 16:31:41 -0700
Received: from CO2PR06MB457.namprd06.prod.outlook.com (10.141.196.142) by CO2PR06MB458.namprd06.prod.outlook.com (10.141.196.144) with Microsoft SMTP Server (TLS) id 15.1.361.13; Wed, 13 Jan 2016 23:31:39 +0000
Received: from CO2PR06MB457.namprd06.prod.outlook.com ([10.141.196.142]) by CO2PR06MB457.namprd06.prod.outlook.com ([10.141.196.142]) with mapi id 15.01.0361.006; Wed, 13 Jan 2016 23:31:39 +0000
From: "Hodges, Jeff" <jeff.hodges@paypal.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: HTTPS/HSTS support on www.w3.org servers
Thread-Index: AQHRTlqMKTcDWvpziEW5MHscn4VmDA==
Date: Wed, 13 Jan 2016 23:31:39 +0000
Message-ID: <D2BC1E59.5742F%jehodges@paypalcorp.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jeff.hodges@paypal.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [73.202.80.238]
x-microsoft-exchange-diagnostics: 1; CO2PR06MB458; 5:qHj3vzihfkwS4R+PqzSN/ed3FtzFf7yLcdqTRCDLDISfIfu2fD1o/bUYkP2CnQiR1Qa3+xZxf7MnvFKG+3Z+8Q/aqXQC6L3O3zHqyFHeS05BFgPcU51dHym+tzaHB4Ju1mQCj9VvoG43AUVjRQUW+A==; 24:3aebR2UpY1gUz9n6KZZrvHkgR1Zhwv+aJCZfo+JoWtRSnszkrywA1Ve92FhUMkApbLtO1HEujpE67Ugkh7pcTM4aCUxal1q9sk/6PdAW5Yk=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO2PR06MB458;
x-ms-office365-filtering-correlation-id: 1b1045e0-02fd-4348-0b06-08d31c71afe4
x-microsoft-antispam-prvs: <CO2PR06MB4583FD0207796EE920B49B093CB0@CO2PR06MB458.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(520078)(8121501046)(3002001)(10201501046); SRVR:CO2PR06MB458; BCL:0; PCL:0; RULEID:; SRVR:CO2PR06MB458;
x-forefront-prvs: 08200063E9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(22974007)(52044002)(189002)(377454003)(189998001)(4326007)(73692002)(97736004)(1720100001)(15975445007)(77096005)(110136002)(50986999)(5001960100002)(92566002)(77072002)(54356999)(81156007)(4500500003)(2900100001)(36756003)(2906002)(6116002)(10770500003)(102836003)(5008740100001)(19580395003)(586003)(82432001)(3846002)(1220700001)(1096002)(229853001)(105586002)(40100003)(10290500002)(15974865002)(106356001)(11100500001)(10130500003)(87936001)(99286002)(5004730100002)(10300500001)(106116001)(10630500004)(10400500002)(101416001)(86362001)(122556002)(5002640100001)(450100001)(66066001)(19580405001)(56826009)(163123001); DIR:OUT; SFP:1102; SCL:1; SRVR:CO2PR06MB458; H:CO2PR06MB457.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: paypal.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <80CF3F8691476E4EA120BC673543353F@namprd06.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: paypal.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2016 23:31:39.3461 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fb007914-6020-4374-977e-21bac5f3f4c8
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO2PR06MB458
X-CFilter: Scanned den1
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/LvQ4lWGd6S4LNWnm4TrSjDp5P_c>
Cc: saag <saag-bounces@ietf.org>
Subject: [websec] fyi: HTTPS/HSTS support on www.w3.org servers
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 23:31:45 -0000
see below for an interesting announcement re deploying HTTPS/HSTS support on www.w3.org servers, but first, some quick background.. deploying HSTS [RFC6797] can be tricky for sites having non-trivial existing deployments of insecure resources (e.g., accessed via "http://..."), e.g.: www.w3.org. A large reason this is tricky is "mixed content blocking" [1], and in which order in user agents' overall "fetch()" algorithm [2] HSTS and mixed content blocking are integrated. the W3C WebAppSec WG is developing a means, known as "Upgrade Insecure Requests" [3], to address this conundrum. Upgrade Insecure Requests provides a means for webapp deployers (aka "authors") to finess their migration to a fully secure site, and this along with HSTS is what the W3C has deployed (see the forwarded announcement below) [1] https://www.w3.org/TR/mixed-content/ [2] https://fetch.spec.whatwg.org/ [3] https://w3c.github.io/webappsec-upgrade-insecure-requests/ -------- Forwarded Message -------- From: Wendy Seltzer <wseltzer@w3.org> Organization: W3C Date: Monday, January 11, 2016 at 11:42 AM To: "public-webappsec@w3.org" <public-webappsec@w3.org> Subject: Fwd: HTTPS/HSTS support on www.w3.org servers Thanks to WebAppSec for the specs that helped to make W3C's HTTPS update possible (and for the prodding to get there even sooner). Please don't hesitate to share configuration suggestions or bug reports. Thanks! --Wendy -------- Forwarded Message -------- Subject: HTTPS/HSTS support on www.w3.org servers Date: Mon, 11 Jan 2016 08:01:05 -1000 From: Coralie Mercier <coralie@w3.org> Organization: W3C Dear Advisory Committee Representative, Chairs, W3C advocates [1] that the Web platform "actively prefer secure communication." Thanks to recent work in the Web Application Security Working Group [2] and supporting client implementations, and the deployment work of the W3C Systems Team, we are now able to provide HTTPS access to all W3C resources. All W3C documents, including Recommendations, DTDs, and vocabularies will be available with the authentication, integrity-protection, and confidentiality HTTPS supports. HTTPS deployment posed some challenges based on our commitment to preserve substantial archives of historic material (for which we could not simply assume that all links were scheme-relative or convert all included content to HTTPS) and the desire to maintain availability to older clients in the field that might support only HTTP. Accordingly, our setup makes extensive use of the Upgrade Insecure Requests [3] spec, but does not force HTTPS on those who start from HTTP. Up to now, our main servers have enforced access HTTPS access to protected resources and HTTP for public resources. Today we upgraded our main servers to support both HTTP and HTTPS access to public resources. This change involves the following: - Support of the Upgrade-Insecure-Requests HTTP request header [3] for transparently requesting the upgrade of HTTP requests to HTTPS ones. Note that you will only get the benefits of this feature if your browser sends this header. - Support of the Strict-Transport-Security HTTP response header (HSTS) [4] for instructing browsers that they should transparently transform all HTTP requests to HTTPS ones for all access to the www.w3.org domain. All recent browsers support this header [5]. It allows to convert a site to HTTPS without needing to revise the content of all the legacy resources that may have hard-coded HTTP links. We have been supporting this header in lists.w3.org and other domains for a long time. This status is cached in the browser for a given time and will be refreshed each time you browse an HTTPS link to www.w3.org. - We're not planning at this point of time to enforce server redirection of all HTTP requests to HTTPS ones for public resources. This is due to avoid breaking older software that can't be upgraded, such as those in built-in devices. This will be done later at another milestone. As a consequence, if your browser doesn't send the Upgrade-Insecure-Requests header, you'll need to browse an HTTPS links pointing to www.w3.org to get the benefits of using HTTPS on our site. - Note that this change has no effect on namespaces. The actual namespace will continue to use HTTP, even if it is also served through HTTPS. This applies as well for XMI DTD, Schema, and SGML DTDs resources. There may be some side-effects you need to be aware of: - Infinite loops happening if due to server or proxy configuration there are hard-coded redirects to an HTTP link after the HSTS header is cached in your browser. Please send the URL to sysreq@w3.org so that we can fix it. - Mixed-content warnings. They will be raised if you're using a browser that doesn't support Strict-Transport-Security. The solution here is to update to a more recent browser. If you have any other issue feel free to mail sysreq@w3.org. Thank you, Coralie Mercier, Head of W3C Marketing & Communications [1] http://www.w3.org/2001/tag/doc/web-https [2] http://www.w3.org/2011/webappsec/ [3] http://www.w3.org/TR/upgrade-insecure-requests/ (Note that the HTTPS: 1 header has been deprecated in favor of Upgrade-Insecure-Requests in the Editor's draft https://w3c.github.io/webappsec/specs/upgrade/) [4] http://tools.ietf.org/html/rfc6797 [5] https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#Browser_suppor t end
- [websec] fyi: HTTPS/HSTS support on www.w3.org se… Hodges, Jeff