Re: Fetching http:// URIs over TLS by default from Alexander Neilson on 2019-09-20 (ietf-http-wg@w3.org from July to September 2019)

From: Alexander Neilson <alexander@neilson.net.nz>
Date: Sat, 21 Sep 2019 11:18:58 +1200
To: ietf-http-wg@w3.org
Message-Id: <2368E30A-5A95-4B0D-9ACC-1E9EF194FF66@neilson.net.nz>

> On 21/09/2019, at 10:44, Rob Sayre <sayrer@gmail.com> wrote:
> 
> 
>> On Fri, Sep 20, 2019 at 3:35 PM Nick Harper <nharper@google.com> wrote:
> 
>> As far as I know, every browser that ships an HSTS preload list bases it off of the one maintained at hstspreload.org. 
> 
> I've found a bunch of small differences, but I agree that those aren't that important. I am looking at sites like these:
> 
> https://hstspreload.org/?domain=apple.com
> 
> https://hstspreload.org/?domain=google.com 
> 
> https://hstspreload.org/?domain=mozilla.org
> 
> These sites can include sign-in UI, and may not include any sensible "not secure" warning, depending on the browser and device form factor.
> 
> thanks,
> Rob

Going a little back to your original proposal (as clarified) do I understand correctly that you are suggesting that a specification be created stating that (in the first stage) any Domain of <name>.<TLD> served over HTTP is regarded as the equivalent of a certificate failure and should come with the full scale “this website may be trying to steal your information ...” style blocking page requiring a click onto “advanced” mode and bypassing or white listing?

If this is your proposal I feel the first step here would be to push towards https being the default whenever not specified (or even better trying for an “HTTPS Happy Eyeballs” where when not specified clients will try https first and http second after a short delay)

I don’t like the idea that users would have to remember to specify HTTPS every time when the work browsers have done has moved towards hiding the protocol from them more and more. Let’s use the end users lack of specificity to actively attempt to upgrade this (I believe there may have been an add on that did this in some browsers before) rather than beating them with a stick when they just type in google.com or <newswebsite>.<TLD> and clients go assume the “bad” choice and we them hit them with a blocking page. That risks training users more and more that those alerts should just be bypassed. 

Regards
Alexander

Received on Saturday, 21 September 2019 05:01:42 UTC