Re: Testing W3C's HTTPS setup from Richard Barnes on 2015-09-21 (public-webappsec@w3.org from September 2015)

From: Richard Barnes <rbarnes@mozilla.com>
Date: Mon, 21 Sep 2015 13:33:44 -0400
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, Jose Kahan <jose.kahan@w3.org>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOAcki_gC_6txrA_kStSbu_SWZn5+NEYxu93dnW4V09KN_5geA@mail.gmail.com>

On Mon, Sep 21, 2015 at 1:29 PM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote:
> > On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote:
> >> We need a solution that will allow to assume all content is https,
> >> in perpetuity, without needing to upgrade all legacy content.
> >
> > That seems like an unfortunate design decision. I hope you'll change your
> > mind over time. :)
>
> Why?
>
> The header makes the two types of content identical. User agents not
> implementing the header will be considered broken in due course, just
> like user agents not supporting the Host header are today.
>
> I really don't think we should give folks the impression that one is
> better than the other long term, or worse, that the header might go
> away. That just harms adoption.
>

+1

Once we're in a world where we can apply a "universal HSTS" policy, there's
no reason to continue hating on "http:" URIs.


>
>
> --
> https://annevankesteren.nl/
>
>

Received on Monday, 21 September 2015 17:34:12 UTC