- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Fri, 10 Jul 2015 13:01:36 -0400
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- CC: jose.kahan@w3.org
Hi WebAppSec, Thanks to Jose and the W3C Systems team, as well as to WebAppSec for development of specs to help the upgrade process, we now have a test instance for HTTPS on the W3C websites. Please see Jose's email below for information about the setup. Because this is an initial test, please don't overwhelm the server by sharing this information widely yet. We look forward to feedback and discussion at the WebAppSec F2F next week and online, so that W3C can roll out a secured website more broadly. Thanks, --Wendy ---------------------------------------- The Systems Team set up a test server for testing https, hsts, and csp against www.w3.org web servers. Please don't tweet or announce this server so that we may keep its audience limited. We do not want to advertise this. See Section 3. The test server is equivalent to our production server setup but it's sending back those headers and has disabled the automatic switch to http for public resources. We accept both http and https requests for public resources but enforce a switch to https for protected resources. We're striving to make this server as close in content and setup as that of our production web server. This is a preview of what we're planning to deploy after the summer break, once extensive testing and some internal discussions about how to refer to references (e.g. namespaces, dtd's) are done. These are the headers that are being sent if the connection is HTTPS: Strict-Transport-Security: max-age=86400; includeSubdomains; preload Content-Security-Policy: upgrade-insecure-requests As this is a test instance, the HSTS max-age is limited to one day. We can reduce it if people want it. I'm not sure if we want to add a more restricted CSP. Among the feedback we're looking for are URLs that result in infinite loops (switching between http and https) that we may have missed, as well as mixed-content warnings if you're using the alias access configuration. 1. Accessing the test server ---------------------------- N.B. Be sure you read Section 2. How to clear the HSTS settings in your browser before you start testing. * Direct access Change the server from www.w3.org to www-test.w3.org, e.g. https://www-test.w3.org/. This will work with all relative URLs in the server. You should expect to get more mixed ocntent warnings with this kind of test due to absolute URLs in some of our resources. * Alias access If you know how to do this, change your /etc/hosts so that your www.w3.org requests are handled by www-test.w3.org: [[ # www-test.w3.org 128.30.52.122 www.w3.org www.w3.org ]] This strategy will make all requests to www.w3.org be served by www-test.w3.org. It will work even with absolute URLs and gives you the best preview of the secure setup. 2. How to clear the HSTS settings in your browser ------------------------------------------------- If you're using www-test.w3.org as an alias for www.w3.org, the hsts header will be persist even if you clear that alias. You'll need to reset your browser. Here is how to do this for some browsers. For those not shown here, make sure you know how to disable it before attempting an alias setup. * Firefox: History -> Clear Recent History -> Site Preference * Chrome / Opera: go to: chrome://net-internals/#hsts Under the "Delete domain" section type in the Domain field "www.w3.org" and click on the "Delete" button. If you forget to reset your browser and delete the alias, it will get stuck into infinite loops switching between http and https for some public resources, resulting in your IP@ being temporarily banned from accessing the w3c site. If this is the case, reset your browser, then mail sysreq@w3.org citing the context, giving your IP@ and ask to reset it from our access filter. 3. Disclaimer ------------- www-test.w3.org is only a test server. We try to make it work as a production one but it may have inconsistent content or be down without warning. We will shut this server down when the test period is completed or if it gets too much traffic. Be careful as links pointing to it (https?://www-test.w3.org/.*) will be broken at that time. If you're testing it and it goes offline, please mail sysreq@w3.org for further info and ask when it will become available again.
Received on Friday, 10 July 2015 17:01:40 UTC