W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Testing W3C's HTTPS setup

From: Ted Guild <ted@w3.org>
Date: Thu, 08 Oct 2015 09:08:15 -0400
Message-ID: <1444309695.10610.106.camel@w3.org>
To: Mike West <mkwst@google.com>, Brad Hill <hillbrad@gmail.com>
Cc: public-webappsec@w3.org, Wendy Seltzer <wseltzer@w3.org>, Jose Kahan <jose.kahan@w3.org>
Here is an update of internal discussions and how the WG can help.

First of all thank you for moving the spec to CR.  That gives us more
legitimacy in moving our site to HSTS+Upgrade Insecure Requests.

Given how few browsers currently support this and Firefox 42 will in
early November, we are inclined to wait a little longer as it gives us
two browser implementations on every major OS. We would not want to make
such a disruptive move before TPAC.  

http://caniuse.com/#feat=upgradeinsecurerequests

We are encouraging other browser vendors to implement this and would
like the WG to as well.  Do you have any additional feedback or
knowledge of browser support timelines you could share with us?

W3C has never previously pushed the envelope on adopting standards on
its site that would degrade the experience for some UA.  We are willing
to for this because we feel it can have a broad impact in increasing end
to end encryption on the web.  We would like other large and complex
site operators, especially those with larger audiences than us, to
follow suit.  Here too the WG can help and see if any such operators
among them are willing to join us in this move.

No specific date set yet but likely November.  Deployment timing can
also be influenced to coordinate with other sites.

Brad we would like to at least cite your writeup in an article we will
write to promote this.  It explains the HTTPS upgrade conundrum for site
operators very well and would welcome your and other WG input.

http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html

> Can you help me understand your expectations around HSTS and
> `upgrade-insecure-requests`? In particular, it's not at all clear to
me
> what was happening in Firefox that wasn't happening in other browsers
that
> don't support the header (which, presumably, you also want to support
on
> the website).

-- 
Ted Guild <ted@w3.org>
W3C Systems Team
http://www.w3.org

Received on Thursday, 8 October 2015 13:08:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC