W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [referrer] HTTPS->HTTP

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 27 Oct 2014 11:04:52 -0700
Cc: Mike West <mkwst@google.com>, Jochen Eisinger <eisinger@google.com>, Brian Smith <brian@briansmith.org>, WebAppSec WG <public-webappsec@w3.org>
Message-Id: <7FF3D30F-3AEF-4F62-A091-74C906B10EF2@mnot.net>
To: Brad Hill <hillbrad@gmail.com>
I think you’ve convinced me. 

I do wonder (like Brian) whether this is really CSP, or something separate; it seems like a lot of things are getting shoved into CSP because that’s the tool at hand…

Cheers,


> On 24 Oct 2014, at 9:52 am, Brad Hill <hillbrad@gmail.com> wrote:
> 
> I think in the long term the momentum is clearly towards an all-https
> Web, and the existence of an "always" referrer policy will do very
> little to change that.  I think the only long term question is whether
> this will create lingering potential insecurities that never get
> cleaned up.
> 
> In the short term, it does seem to me that this helps.  The advocates
> of moving a given site to https have limited political capital and
> breakage budget within their organizations.  They often can't say,
> "sure we'll lose $10,000 a week in referral credit to siteX when we
> flip this switch, but think about the long-term incentive it will give
> them to also move to https!"  So I see things that allow motivated
> individual actors more freedom to move in the right direction as a
> positive incentive.  Otherwise a few laggards can retard the movement
> of whole clusters of sites.
> 
> -Brad
> 
> On Fri, Oct 24, 2014 at 3:18 AM, Mark Nottingham <mnot@mnot.net> wrote:
>> Right now they do; ‘always’ and friends would slow that down.
>> 
>> I’m not lie-down-in-the-road against this, BTW, just a bit surprised to see it. On the face of it, I don’t see any actual attacks; a malicious site can share private information in plenty of other ways besides the Referer. It’s just a question of what incentives and disincentives it gives, in the short and long term.
>> 
>> Cheers,
>> 
>> 
>>> On 24 Oct 2014, at 9:15 pm, Mike West <mkwst@google.com> wrote:
>>> 
>>> Don't services get _more_ referrers when they move to HTTPS? If I was a newspaper, curious about where my users were coming from, I'd totally want to be an HTTPS site; otherwise I'd lose out on referrer information from the default none-when-downgrade behavior.
>>> 
>>> -mike
>>> 
>>> --
>>> Mike West <mkwst@google.com>
>>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>> 
>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>>> Registergericht und -nummer: Hamburg, HRB 86891
>>> Sitz der Gesellschaft: Hamburg
>>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>> 
>>> On Fri, Oct 24, 2014 at 12:12 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>> When sites migrate to HTTPS, they lose referers to HTTP third-party services; I think that’s the friction that Jochen was trying to avoid (happy to be corrected).
>>> 
>>> ‘always’ avoids that friction, but the flip side of the coin is that it makes it easier for third-party services to remain HTTP-only.
>>> 
>>> 
>>> 
>>>> On 24 Oct 2014, at 9:08 pm, Mike West <mkwst@google.com> wrote:
>>>> 
>>>> How does that follow, Mark?
>>>> 
>>>> -mike
>>>> 
>>>> --
>>>> Mike West <mkwst@google.com>
>>>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>>> 
>>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>>>> Registergericht und -nummer: Hamburg, HRB 86891
>>>> Sitz der Gesellschaft: Hamburg
>>>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>>> 
>>>> On Fri, Oct 24, 2014 at 12:06 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>>> Doesn’t it encourage third-party services to be lazy and stay on cleartext HTTP?
>>>> 
>>>> 
>>>>> On 24 Oct 2014, at 9:05 pm, Jochen Eisinger <eisinger@google.com> wrote:
>>>>> 
>>>>> Google uses the "origin" policy on the search result page.
>>>>> 
>>>>> I agree that "always" is a two edged sword. From my point of view, the current default referrer behavior makes sense in a world where everybody is happy with HTTP, and HTTPS means something like "banking".
>>>>> 
>>>>> Today, I think we'd rather have everybody on HTTPS, and I see the "always" policy as a way to make it easier for web sites to migrate to HTTPS without punishing them.
>>>>> 
>>>>> best
>>>>> -jochen
>>>>> 
>>>>> On Fri Oct 24 2014 at 11:56:41 AM Mike West <mkwst@google.com> wrote:
>>>>> +Jochen, who hopefully has a few minutes to think about this before he disappears into vacationland.
>>>>> 
>>>>> -mike
>>>>> 
>>>>> --
>>>>> Mike West <mkwst@google.com>
>>>>> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>>>>> 
>>>>> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
>>>>> Registergericht und -nummer: Hamburg, HRB 86891
>>>>> Sitz der Gesellschaft: Hamburg
>>>>> Geschäftsführer: Graham Law, Christine Elizabeth Flores
>>>>> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>>>>> 
>>>>> On Fri, Oct 24, 2014 at 9:03 AM, Brian Smith <brian@briansmith.org> wrote:
>>>>> On Thu, Oct 23, 2014 at 10:29 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>>>> The bigger issue, however, is whether this is a good idea at all. In particular, "unsafe-url" removes this prohibition completely, for an *entire* page.
>>>>> 
>>>>> This is likely to create a situation where those providing third-party functionality want/require referers, so they tell HTTPS sites to set "unsafe-url" or face a functional (or financial) penalty; now not only the intended content but all other fetches from the page will send a referer.
>>>>> 
>>>>> I understand that there's a delicate balance here; if referers aren't sent at all, sites may be reluctant to move to HTTPS (although one might just say that the sites they're linking to should move to HTTPS!). The question is whether there's a net improvement to Web security.
>>>>> 
>>>>> Arguably, origin-only and origin-when-cross-origin might get that balance right; I question whether unsafe-url and always (which isn't well-documented, btw) do.
>>>>> 
>>>>> Has this been discussed yet?
>>>>> 
>>>>> Mark, if I understand you correctly, then I very much agree with you. See these messages, and others in that thread:
>>>>> 
>>>>> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0174.html
>>>>> http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0162.html
>>>>> 
>>>>> See also:
>>>>> https://groups.google.com/forum/#!msg/mozilla.dev.privacy/wmPzPCdzIU8/Vrugn8XquL4J
>>>>> 
>>>>> Cheers,
>>>>> Brian
>>>>> 
>>>> 
>>>> --
>>>> Mark Nottingham   http://www.mnot.net/
>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>>> --
>>> Mark Nottingham   http://www.mnot.net/
>>> 
>>> 
>>> 
>>> 
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 

--
Mark Nottingham   http://www.mnot.net/
Received on Monday, 27 October 2014 18:05:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC