W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Ryan Sleevi <rsleevi@chromium.org>
Date: Mon, 29 Dec 2014 14:05:11 -0800
Message-ID: <CACvaWvbaeRCHo1hFarfnkvFaodfwLZAvq3Aggy0jkOfRg3OVTw@mail.gmail.com>
To: Chris Palmer <palmer@google.com>
Cc: Brian Smith <brian@briansmith.org>, Chris Bentzel <cbentzel@chromium.org>, Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Mon, Dec 29, 2014 at 12:59 PM, 'Chris Palmer' via Security-dev
<security-dev@chromium.org> wrote:
> On Fri, Dec 26, 2014 at 8:12 PM, Brian Smith <brian@briansmith.org> wrote:

>> It would also be useful to consider search metrics. When I search for
>> "RFC 5246" with Google Search or Yahoo! Search, the top result is
>> http://tools.ietf.org/html/rfc5246. But,
>> HTTPS://tools.ietf.org/html/rfc5246 has the exact-same content. How
>> often does this happen? What can be done to make search engines
>> consider the HTTPS:// variant the canonical, default, choice? (Note:
>> RFC 5246 is the TLS 1.2 specification.)
>
> Yeah, that's a bug we need to fix. I think we gradually are? I have
> pinged the relevant people.

There are a variety of signals, at a variety of quality levels, that
can be used to infer that the scheme is irrelevant. I think some of it
will require heuristics / improvements in the search and indexing side
(and, as Chris said, I know that people at Google are looking at such
signals).

Of the things that apply now, what sites can be doing is:
1) Ensuring HTTP redirects to HTTPS
2) Use canonical URLs - see
https://support.google.com/webmasters/answer/139066?hl=en
3) Use HSTS, when available.

These three things - especially the first two - are signals that most
search engines are already taking into consideration. But all of them
require some degree of a site signalling the intent, which is
understandably a problem of scale. We're also working to evangelize
this better.
Received on Monday, 29 December 2014 22:05:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC