W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE] Consider plan B for reduced complexity?

From: Peter Eckersley <pde@eff.org>
Date: Mon, 16 Mar 2015 02:11:59 -0700
To: Mike West <mkwst@google.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
Message-ID: <20150316091159.GA17623@eff.org>
On Tue, Mar 10, 2015 at 08:58:15AM +0100, Mike West wrote:
 
>    3. Finally, there's the central question of risk and motivation. I'd
>    like to target those authors who are on the fence about migrating to HTTPS.
>    I expect those authors to be skeptical about their TLS configuration, and I
>    would like to give them a way of slowly rolling out behaviors across their
>    user base in order to gain confidence and fix bugs for a subset of users,
>    before turning on a behavior for everyone. I don't think they'll accept
>    anything less.
> 
> A resource-specific opt-in that covers both content types seems to provide
> a path forward on these problems (and certainly doesn't prevent user agents
> from experimenting with changing behavior for blockable mixed content in
> parallel).

Daniel's proposal to make UPGRADE-like behaviour the default (with HSTS2
as a way to make HSTS safely enableable on the same origins) allows
sites to do resource-specific, or user-specific, migration from HTTP to
HTTPS if they want to.  

Is the main issue that you're flagging here the fact that sites can't
similarly UPGRADE the optionally blockable mixed content on the
resources of their choice?

-- 
Peter Eckersley                            pde@eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Monday, 16 March 2015 09:12:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC