W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Ryan Sleevi <rsleevi@chromium.org>
Date: Mon, 29 Dec 2014 20:09:09 -0800
Message-ID: <CACvaWvasPirNCt7NTX82+grWnYdsLwKvFfTQgVERmwV4W7rBsw@mail.gmail.com>
To: Jim Manico <jim.manico@owasp.org>
Cc: "rsleevi@chromium.org" <rsleevi@chromium.org>, Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>, Chris Bentzel <cbentzel@chromium.org>, Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <jim.manico@owasp.org> wrote:
>> Of the things that apply now, what sites can be doing is:
> 1) Ensuring HTTP redirects to HTTPS
> 2) Use canonical URLs - see
> https://support.google.com/webmasters/answer/139066?hl=en
> 3) Use HSTS, when available.
>
> I think that HTTP-redirect as a solution is "too late". The ••preloaded••
> HTST headers initiative seems to be the right solution in order to avoid
> that initial HTTP request...

I'm sorry it wasn't clearer what I was saying - but this is about
answering the question about "How do we get search engines to prefer
HTTPS". This is how.

If your search engine is linking to HTTPS because it detected the
above three, then your link is to HTTPS, and thus you don't have that
window.

>
> https://hstspreload.appspot.com/
>
> I don't think preloaded HSTS is part of the HSTS standard. How could we
> raise adoption?
>

It doesn't need to be.
Received on Tuesday, 30 December 2014 04:09:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC