W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 29 Dec 2014 18:01:29 -1000
Message-ID: <708098038786133333@unknownmsgid>
To: "rsleevi@chromium.org" <rsleevi@chromium.org>
Cc: Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>, Chris Bentzel <cbentzel@chromium.org>, Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
> Of the things that apply now, what sites can be doing is:
1) Ensuring HTTP redirects to HTTPS
2) Use canonical URLs - see
https://support.google.com/webmasters/answer/139066?hl=en
3) Use HSTS, when available.

I think that HTTP-redirect as a solution is "too late". The ••preloaded••
HTST headers initiative seems to be the right solution in order to avoid
that initial HTTP request...

https://hstspreload.appspot.com/

I don't think preloaded HSTS is part of the HSTS standard. How could we
raise adoption?

--
Jim Manico
@Manicode
(808) 652-3805

On Dec 29, 2014, at 12:07 PM, Ryan Sleevi <rsleevi@chromium.org> wrote:

Of the things that apply now, what sites can be doing is:
--
Jim Manico
@Manicode
(808) 652-3805

2) Use canonical URLs - see
https://support.google.com/webmasters/answer/139066?hl=en
3) Use HSTS, when available.
Received on Tuesday, 30 December 2014 04:02:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC