W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: Proposal: Marking HTTP As Non-Secure

From: Jim Manico <jim.manico@owasp.org>
Date: Mon, 29 Dec 2014 22:15:10 -1000
Message-ID: <6184730181450918228@unknownmsgid>
To: "rsleevi@chromium.org" <rsleevi@chromium.org>
Cc: Chris Palmer <palmer@google.com>, Brian Smith <brian@briansmith.org>, Chris Bentzel <cbentzel@chromium.org>, Monica Chew <mmc@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, blink-dev <blink-dev@chromium.org>, security-dev <security-dev@chromium.org>, "dev-security@lists.mozilla.org" <dev-security@lists.mozilla.org>
Right.

I'm just politely critiquing what I see as advice regarding HTTPS/TLS
configuration that seems lacking. And yes I pivoted to asking about
•preloaded• HSTS evangelism since I feel it makes the search engine
question moot. Who cares if a search engine returns HTTP or HTTPS
links if we have widespread adoption of preloaded HSTS sites that make
the change in the client.

That's where my thinking was; my apologies if I detailed the conversation.

--
Jim Manico
@Manicode
(808) 652-3805

> On Dec 29, 2014, at 6:09 PM, Ryan Sleevi <rsleevi@chromium.org> wrote:
>
> On Mon, Dec 29, 2014 at 8:01 PM, Jim Manico <jim.manico@owasp.org> wrote:
>>> Of the things that apply now, what sites can be doing is:
>> 1) Ensuring HTTP redirects to HTTPS
>> 2) Use canonical URLs - see
>> https://support.google.com/webmasters/answer/139066?hl=en
>> 3) Use HSTS, when available.
>>
>> I think that HTTP-redirect as a solution is "too late". The ••preloaded••
>> HTST headers initiative seems to be the right solution in order to avoid
>> that initial HTTP request...
>
> I'm sorry it wasn't clearer what I was saying - but this is about
> answering the question about "How do we get search engines to prefer
> HTTPS". This is how.
>
> If your search engine is linking to HTTPS because it detected the
> above three, then your link is to HTTPS, and thus you don't have that
> window.
>
>>
>> https://hstspreload.appspot.com/
>>
>> I don't think preloaded HSTS is part of the HSTS standard. How could we
>> raise adoption?
>
> It doesn't need to be.
Received on Tuesday, 30 December 2014 08:15:40 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC