W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE]: What's left?

From: Jacob Bednarz <jacob.bednarz@gmail.com>
Date: Sat, 7 Mar 2015 16:15:07 +1000 (AEST)
To: Mike West <mkwst@google.com>
cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Peter Eckersley <pde@eff.org>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>
Message-ID: <alpine.OSX.2.11.1503071435070.31225@jacobs-macbook-pro.local>
Hi
Nice work on the spec! It looks great and I can see alot of larger organisations
looking to roll this out as a stepping stone to full HTTPS compatibility.

> The only issue noted in the document is
> https://github.com/w3c/webappsec/issues/184, which suggests changing from a
> value-less directive to a whitelist of hosts. I can see how that would be
> valuable, but it seems like a complicated thing to add if we don't actually
> need it. Do folks here think it is necessary?

While I agree it's not necessary to have a whitelist directive on the initial
rollout of this feature, I definitely think it's a must have for the long term.

My position is very similar to the example given in the spec in that we leverage
external parties (in the hundreds) for assets and only a subset of them actually
have HTTPS enabled on their services. Added to this we also use a CMS which
until recently would store full protocol based paths. As a stop gap solution we
have implemented camo[1] along with some application logic to allow our sites to
be served under HTTPS however as you can imagine, this creates additional
maintenance overhead for the purpose of security and is a tough sell to
non-technical stakeholders.

Ideally we would aim to use the 'Upgrade Secure Requests' feature for those who
support HTTPS however we would need the option to whitelist domains that
supported it so that we could move off camo gradually.

Again, nice work and I am more than happy to implement this on our end to get
some feedback.

Regards,
Jacob.

[1]: https://github.com/atmos/camo

On Fri, 6 Mar 2015, Mike West wrote:

> I've done some work on the "Upgrade Insecure Requests" spec since the FPWD was published (and have a 90% functional implementation behind a flag in Chrome). I'd appreciate it
> if folks here would take another look at the document to see if we're converging on something we like: https://w3c.github.io/webappsec/specs/upgrade/
> The only issue noted in the document is https://github.com/w3c/webappsec/issues/184, which suggests changing from a value-less directive to a whitelist of hosts. I can see how
> that would be valuable, but it seems like a complicated thing to add if we don't actually need it. Do folks here think it is necessary? 
> 
> In particular, I'm CCing some W3C folks (Ted and Yves) who participated in an earlier thread[1] to see if this would help them more quickly migrate to HTTPS. Hi! Does this
> help for the W3C's use-case?
> 
> Basically, if what we have is good enough, I want to start shipping it in Chrome to get developer feedback (and to get sites migrated more quickly). If it's not good enough, I
> want to know how to make it better.
> 
> Feedback welcome. :)
> 
> [1]: https://lists.w3.org/Archives/Public/www-tag/2014Nov/0031.html
> 
> --
> Mike West <mkwst@google.com>, @mikewest
> 
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law,
> Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
> 
>
Received on Saturday, 7 March 2015 06:15:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC