Re: [UPGRADE]: What's left? from Eric Mill on 2015-03-08 (public-webappsec@w3.org from March 2015)

From: Eric Mill <eric@konklone.com>
Date: Sun, 8 Mar 2015 15:54:28 -0400
To: Peter Eckersley <pde@eff.org>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Jeff Hodges <Jeff.Hodges@kingsmountain.com>, Tanvi Vyas <tanvi@mozilla.com>, Yves Lafon <ylafon@w3.org>, T Guild <ted@w3.org>, Daniel Appelquist <appelquist@gmail.com>, Alex Russell <slightlyoff@google.com>, Ilya Grigorik <igrigorik@google.com>, Yoav Weiss <yoav@yoav.ws>, Martin Thomson <martin.thomson@gmail.com>
Message-ID: <CANBOYLUZvCvcf=2C4pbiBG8=Oyd1oGA5P2rt7yUf+K9OT_Zd-g@mail.gmail.com>

On Sun, Mar 8, 2015 at 7:41 AM, Peter Eckersley <pde@eff.org> wrote:

>> Option #2: UA sniffing. No one likes this, but, since sites are probably
>> sniffing for a variety of reasons anyway, why not add one more? This has
>> the disadvantage of being ugly, but the advantage of not (further) bloating
>> request/response headers.
>>
>> At a higher level, _how important_ is it that we deal with #4?
>
> I would classify the importance of dealing with #4 cleanly as pretty
> high.  If a site gets this wrong, and sets HSTS on a client whose MCB
> implementation breaks the site, that's going to be a source of extremely
> persistent and pernicious problems.  Perhaps such a broken state is
> recoverable, but only if the site can tell which subpopulations it has
> broken, and unset HSTS for them (by setting HSTS with maxage 0).

If a site is smart and security-conscious enough to:

* set a CSP header at all
* set a new CSP header for upgrading mixed content
* conditionally redirect clients that don't support the upgrade spec
down from HTTPS to HTTP
* understand why the tradeoffs and implementation work make sense for
their body of legacy content

...then I think they can probably also evaluate the effect of HSTS on
their website under these circumstances.

This whole upgrade spec is about providing a long-term migration path,
right? Where we expect browser update cycles to outpace the ability of
a website with a large body of content to go through and upgrade the
resource links?

It could be that the tradeoff here is that HSTS is effectively not
advised until the presence of legacy clients that don't support the
UPGRADE spec diminishes to an acceptable amount. At that time, a
website can shut off the HTTPS->HTTP downgrade, and add HSTS, at the
same time. The UPGRADE spec could recommend this strategy.

-- Eric

>
> For these reasons, UA sniffing is unusually inadvisable as an
> implementation strategy for #4.
> --
> Peter Eckersley                            pde@eff.org
> Technology Projects Director      Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
>

-- 
konklone.com | @konklone

Received on Sunday, 8 March 2015 19:55:34 UTC