Re: [UPGRADE]: What's left? from Yves Lafon on 2015-03-06 (public-webappsec@w3.org from March 2015)

From: Yves Lafon <ylafon@w3.org>
Date: Fri, 6 Mar 2015 05:10:23 -0500 (EST)
To: Mike West <mkwst@google.com>
cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Peter Eckersley <pde@eff.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>
Message-ID: <alpine.DEB.2.00.1503060449520.13846@wnl.j3.bet>

On Fri, 6 Mar 2015, Mike West wrote:

> I've done some work on the "Upgrade Insecure Requests" spec since the FPWD
> was published (and have a 90% functional implementation behind a flag in
> Chrome). I'd appreciate it if folks here would take another look at the
> document to see if we're converging on something we like:
> https://w3c.github.io/webappsec/specs/upgrade/
>
> The only issue noted in the document is
> https://github.com/w3c/webappsec/issues/184, which suggests changing from a
> value-less directive to a whitelist of hosts. I can see how that would be
> valuable, but it seems like a complicated thing to add if we don't actually
> need it. Do folks here think it is necessary?

Well, if you are able to select what to upgrade on a fine-grain basis, you 
are not solving the issue, just reducing the surface of attacks (the 
number of insecure links to upgrade), in that case, they can rewrite part 
of the content to that effect. Here the goal was to mass-upgrade things 
you were not able to rewrite, so not worth the complexity of adding it, 
IMHO.

> In particular, I'm CCing some W3C folks (Ted and Yves) who participated in
> an earlier thread[1] to see if this would help them more quickly migrate to
> HTTPS. Hi! Does this help for the W3C's use-case?

There were a few things, this document addresses the use case of upgrading 
content that are not upgraded by HSTS, which is great!

I'm wondering about the "insecure content warning" on browers, so would 
this make the warning disappear in implementations (ie: is it linked to 
the enforced policies), but that's more implementation-specific.

> Basically, if what we have is good enough, I want to start shipping it in
> Chrome to get developer feedback (and to get sites migrated more quickly).
> If it's not good enough, I want to know how to make it better.

SGTM, in any case, thanks for this!

> Feedback welcome. :)
>
> [1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>

-- 
Baroula que barouleras, au tiéu toujou t'entourneras.

         ~~Yves

Received on Friday, 6 March 2015 10:10:29 UTC