Re: [referrer] HTTPS->HTTP from Mark Nottingham on 2014-10-24 (public-webappsec@w3.org from October 2014)

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 24 Oct 2014 21:18:57 +1100
To: Mike West <mkwst@google.com>
Cc: Jochen Eisinger <eisinger@google.com>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <475A77AF-2C65-4435-9C4E-1DEA1A96955E@mnot.net>
Right now they do; ‘always’ and friends would slow that down.

I’m not lie-down-in-the-road against this, BTW, just a bit surprised to see it. On the face of it, I don’t see any actual attacks; a malicious site can share private information in plenty of other ways besides the Referer. It’s just a question of what incentives and disincentives it gives, in the short and long term.

Cheers,


> On 24 Oct 2014, at 9:15 pm, Mike West <mkwst@google.com> wrote:
> 
> Don't services get _more_ referrers when they move to HTTPS? If I was a newspaper, curious about where my users were coming from, I'd totally want to be an HTTPS site; otherwise I'd lose out on referrer information from the default none-when-downgrade behavior.
> 
> -mike
> 
> --
> Mike West <mkwst@google.com>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
> On Fri, Oct 24, 2014 at 12:12 PM, Mark Nottingham <mnot@mnot.net> wrote:
> When sites migrate to HTTPS, they lose referers to HTTP third-party services; I think that’s the friction that Jochen was trying to avoid (happy to be corrected).
> 
> ‘always’ avoids that friction, but the flip side of the coin is that it makes it easier for third-party services to remain HTTP-only.
> 
> 
> 
> > On 24 Oct 2014, at 9:08 pm, Mike West <mkwst@google.com> wrote:
> >
> > How does that follow, Mark?
> >
> > -mike
> >
> > --
> > Mike West <mkwst@google.com>
> > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > Registergericht und -nummer: Hamburg, HRB 86891
> > Sitz der Gesellschaft: Hamburg
> > Geschäftsführer: Graham Law, Christine Elizabeth Flores
> > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> >
> > On Fri, Oct 24, 2014 at 12:06 PM, Mark Nottingham <mnot@mnot.net> wrote:
> > Doesn’t it encourage third-party services to be lazy and stay on cleartext HTTP?
> >
> >
> > > On 24 Oct 2014, at 9:05 pm, Jochen Eisinger <eisinger@google.com> wrote:
> > >
> > > Google uses the "origin" policy on the search result page.
> > >
> > > I agree that "always" is a two edged sword. From my point of view, the current default referrer behavior makes sense in a world where everybody is happy with HTTP, and HTTPS means something like "banking".
> > >
> > > Today, I think we'd rather have everybody on HTTPS, and I see the "always" policy as a way to make it easier for web sites to migrate to HTTPS without punishing them.
> > >
> > > best
> > > -jochen
> > >
> > > On Fri Oct 24 2014 at 11:56:41 AM Mike West <mkwst@google.com> wrote:
> > > +Jochen, who hopefully has a few minutes to think about this before he disappears into vacationland.
> > >
> > > -mike
> > >
> > > --
> > > Mike West <mkwst@google.com>
> > > Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
> > >
> > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> > > Registergericht und -nummer: Hamburg, HRB 86891
> > > Sitz der Gesellschaft: Hamburg
> > > Geschäftsführer: Graham Law, Christine Elizabeth Flores
> > > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> > >
> > > On Fri, Oct 24, 2014 at 9:03 AM, Brian Smith <brian@briansmith.org> wrote:
> > > On Thu, Oct 23, 2014 at 10:29 PM, Mark Nottingham <mnot@mnot.net> wrote:
> > > The bigger issue, however, is whether this is a good idea at all. In particular, "unsafe-url" removes this prohibition completely, for an *entire* page.
> > >
> > > This is likely to create a situation where those providing third-party functionality want/require referers, so they tell HTTPS sites to set "unsafe-url" or face a functional (or financial) penalty; now not only the intended content but all other fetches from the page will send a referer.
> > >
> > > I understand that there's a delicate balance here; if referers aren't sent at all, sites may be reluctant to move to HTTPS (although one might just say that the sites they're linking to should move to HTTPS!). The question is whether there's a net improvement to Web security.
> > >
> > > Arguably, origin-only and origin-when-cross-origin might get that balance right; I question whether unsafe-url and always (which isn't well-documented, btw) do.
> > >
> > > Has this been discussed yet?
> > >
> > > Mark, if I understand you correctly, then I very much agree with you. See these messages, and others in that thread:
> > >
> > > http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0174.html
> > > http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html
> > >
> > > See also:
> > > https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J
> > >
> > > Cheers,
> > > Brian
> > >
> >
> > --
> > Mark Nottingham   http://www.mnot.net/
> >
> >
> >
> >
> 
> --
> Mark Nottingham   http://www.mnot.net/
> 
> 
> 
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Friday, 24 October 2014 10:19:25 UTC