W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2015

Re: [UPGRADE] Consider plan B for reduced complexity?

From: Mike West <mkwst@google.com>
Date: Tue, 17 Mar 2015 10:06:02 +0100
Message-ID: <CAKXHy=eya3t5AddnPKH1qu3R7rAAHKnhQSFqkZt3zSijLp36Uw@mail.gmail.com>
To: Peter Eckersley <pde@eff.org>, David Walp <David.Walp@microsoft.com>, Tanvi Vyas <tanvi@mozilla.com>, Crispin Cowan <crispin@microsoft.com>, Dan Veditz <dveditz@mozilla.com>
Cc: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Eric Mill <eric@konklone.com>
On Mon, Mar 16, 2015 at 9:11 PM, Peter Eckersley <pde@eff.org> wrote:

> Unless the transition from upgrade-insecure to
>
upgrade-insecure-by-default was swift, well-informed websites would want
> to send the CSP header for a long time, even though it was the default
> behaviour of most clients.
>

I think getting "most clients" on board "swift"ly is going to be difficult.
I also think that legacy browsers are going to be around long enough to
make it unlikely that folks can cleanly rely on new default behaviors
without doing some work.

You have a better sense of what's doable quickly in Chrome than I do
> :). *If* upgrade-insecure can ship quickly, and
> upgrade-insecure-by-default cannot, even as a cohorted / experimental
> feature, then let's follow your plan


Making the behavior opt-in is a conservative, safe option that I believe I
can sell to Blink's API owners. It leaves room for radical, risky
experiments in parallel, but won't break any Forbsean sites that do strange
things for strange reasons.

It does less than you want, but significantly more than nothing, and seems
like the right compromise approach to get things started. Getting something
out into developers hands now seems like the best way to evaluate whether
the impacts we're discussing here actually matter to developers interested
in deploying the feature.


> supplemented by either an improved #209 or some concretised version of
> #212 (whose full impact in terms of possible extra bytes from Location:
> headers, extra roundtrips, and additional cookie and page content exposure
> I don't fully understand yet).


The spec as-written handles the core use-case of upgrading HTTP to HTTPS by
unconditionally sending a `Prefer` signal along with insecure navigational
requests to which the server can respond with a redirect. It does not
attempt to handle downgrading HTTPS to HTTP for upgrade-incapable clients,
nor does it attempt to handle setting HSTS for upgrade-capable clients.

On the issue of downgrades: I'm reluctant to add a header to every secure
navigational request as well (as suggested in
https://github.com/w3c/webappsec/pull/209), as I don't see how we'd ever be
able to remove them once added. I agree that the downgrade procedure I
proposed in https://github.com/w3c/webappsec/issues/212 is nuts. I don't
have a good answer here other than UA sniffing (which, really, I don't
think is that bad of an option).

HSTS is something for which I think we can add a reasonable workaround: if
we add an `upgraded: 1` (or similar) signal when we actually upgrade a
resource (as proposed as part of https://github.com/w3c/webappsec/issues/212),
then you can safely send `Strict-Transport-Security` along with the
response to an upgraded request. That has the advantage of a) going away
over time as folks edit their pages for legacy support, and b) applying
only to sites that request upgrades. The more I think about it, the more I
think we should add this: I've poked at it in
https://github.com/w3c/webappsec/commit/05e5358eddcce3981a9f1afc5ff31bebc568cfb4.
Alternate spelling suggestions welcome. :)


> If there's a way that we could start upgrade-insecure-by-default as a
> cohorted experiment that becomes universal in a release or two, I think
> we should consider that path, since it fixes more sites and makes
> everything simpler for developers.
>

I suspect that "universal" is unlikely to happen in a release or two among
the evergreen browsers, and I don't think the
locked-into-a-version-of-IE-at-work market is going away.

It might be helpful if other browser vendors would weigh in regarding their
likelihood to implement something along the lines of what we're discussing
(+David/Crispin from Microsoft, +Tanvi/Dan from Mozilla (Hi!)), but I doubt
anyone is going to commit to near-future timelines for the behavioral
change you're looking for.

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 17 March 2015 09:06:51 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:11 UTC