Re: Draft finding - "Transitioning the Web to HTTPS" from Mark Nottingham on 2014-12-19 (www-tag@w3.org from December 2014)

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 20 Dec 2014 06:12:04 +1100
To: Tim Berners-Lee <timbl@w3.org>
Cc: Public TAG List <www-tag@w3.org>
Message-Id: <59EB0FD2-FD4F-46CF-9518-67E478ABB39A@mnot.net>

Hey Tim,

> On 20 Dec 2014, at 4:50 am, Tim Berners-Lee <timbl@w3.org> wrote:
> 
> I think this finding should not be "high level" in that it should omit the arguments.
> I don't feel a TAG finding is something which should do that.
> The world is big, there are many cases out there, like data mashups, where a blanket move to HTTPS just breaks things.
> It should say that clearly.

Generally agreed. The document already says:

“””
Likewise, we realize that transitioning to HTTPS may not be easy for all sites. While the CPU overhead of TLS has been largely overcome by advances in processor technology, the Web platform itself makes changing schemes difficult, both because URLs themselves need to change, and because the URL scheme is also used to trigger different behavior in many platform features. These problems ought to be viewed as opportunities for improvement in the platform, rather than reasons to stop adoption of encryption.
“””

and

“””
Simultaneously, reducing the costs of switching to and using HTTPS should be a continuing area of focus for the W3C. In particular, features that change behavior based upon the URL scheme ("http" to "https") should be examined to see if these differences can either be eliminated or controlled by authors, providing that there is no loss of security or surprising changes in behavior. For example, the [referrer-policy] specification is offering more control over the Referer HTTP header, as part of [CSP2]. The TAG encourages work to identify similar areas of friction and potential mitigations.
“”"

Is this adequate, or would you like something more explicit? E.g., I could see something like this after the first paragraph above:

“””
As the Web transitions to HTTPS, it ca be expected that there will be a period where difficulties might be encountered; for example, when a Web site refers to assets or uses services such as ads on a third party site, and there is a mismatch in their support for encryption, because one has not moved to HTTPS yet.
“””

WDYT?

There’s also a lot of potential new work that follows from this (e.g., indicating what the upstream quality of encryption is in a mashup, using a CDN, etc.), but that seems too speculative to put in yet.

Cheers,

--
Mark Nottingham   http://www.mnot.net/

Received on Friday, 19 December 2014 19:12:50 UTC