Testing W3C's HTTPS setup

Hi WebAppSec,

Thanks to Jose and the W3C Systems team, as well as to WebAppSec for
development of specs to help the upgrade process, we now have a test
instance for HTTPS on the W3C websites.

Please see Jose's email below for information about the setup. Because
this is an initial test, please don't overwhelm the server by sharing
this information widely yet. We look forward to feedback and discussion
at the WebAppSec F2F next week and online, so that W3C can roll out a
secured website more broadly.

Thanks,
--Wendy

----------------------------------------
The Systems Team set up a test server for testing https, hsts,
and csp against www.w3.org web servers.

Please don't tweet or announce this server so that we may keep its
audience limited. We do not want to advertise this. See Section 3.

The test server is equivalent to our production server setup but it's
sending back those headers and has disabled the automatic switch to
http for public resources. We accept both http and https requests for
public resources but enforce a switch to https for protected
resources. We're striving to make this server as close in content and
setup as that of our production web server.

This is a preview of what we're planning to deploy after the summer
break, once extensive testing and some internal discussions about how
to refer to references (e.g. namespaces, dtd's) are done.

These are the headers that are being sent if the connection is HTTPS:

  Strict-Transport-Security: max-age=86400; includeSubdomains; preload
  Content-Security-Policy: upgrade-insecure-requests

As this is a test instance, the HSTS max-age is limited to one day. We can
reduce it if people want it.  I'm not sure if we want to add a more
restricted CSP.

Among the feedback we're looking for are URLs that result in infinite loops
(switching between http and https) that we may have missed, as well as
mixed-content warnings if you're using the alias access configuration.

1. Accessing the test server
----------------------------

N.B. Be sure you read Section 2. How to clear the HSTS settings in
your browser before you start testing.

* Direct access

Change the server from www.w3.org to www-test.w3.org,
e.g. https://www-test.w3.org/. This will work with all relative URLs
in the server.

You should expect to get more mixed ocntent warnings with this kind of
test due to absolute URLs in some of our resources.

* Alias access

If you know how to do this, change your /etc/hosts so that your
www.w3.org requests are handled by www-test.w3.org:

[[
# www-test.w3.org
128.30.52.122   www.w3.org     www.w3.org
]]

This strategy will make all requests to www.w3.org be served by
www-test.w3.org. It will work even with absolute URLs and gives you
the best preview of the secure setup.

2. How to clear the HSTS settings in your browser
-------------------------------------------------

If you're using www-test.w3.org as an alias for www.w3.org, the hsts
header will be persist even if you clear that alias. You'll need to
reset your browser. Here is how to do this for some browsers. For
those not shown here, make sure you know how to disable it before
attempting an alias setup.

* Firefox:
  History -> Clear Recent History -> Site Preference

* Chrome / Opera:
  go to: chrome://net-internals/#hsts
  Under the "Delete domain" section type in the Domain field
  "www.w3.org" and click on the "Delete" button.

If you forget to reset your browser and delete the alias, it will get
stuck into infinite loops switching between http and https for some
public resources, resulting in your IP@ being temporarily banned from
accessing the w3c site. If this is the case, reset your browser, then
mail sysreq@w3.org citing the context, giving your IP@ and ask to
reset it from our access filter.

3. Disclaimer
-------------

www-test.w3.org is only a test server. We try to make it work as a
production one but it may have inconsistent content or be down without
warning. We will shut this server down when the test period is
completed or if it gets too much traffic. Be careful as links
pointing to it (https?://www-test.w3.org/.*) will be broken at that
time. If you're testing it and it goes offline, please mail
sysreq@w3.org for further info and ask when it will become
available again.

Received on Friday, 10 July 2015 17:01:40 UTC