W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2015

Re: Testing W3C's HTTPS setup

From: Mike West <mkwst@google.com>
Date: Thu, 8 Oct 2015 15:30:07 +0200
Message-ID: <CAKXHy=ebYJBpDMoVjf9dFvfBEaMxeLduvFUZA656N3kpEapvRQ@mail.gmail.com>
To: T Guild <ted@w3.org>
Cc: Brad Hill <hillbrad@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Jose Kahan <jose.kahan@w3.org>, Crispin Cowan <crispin@microsoft.com>, Rob.Trace@microsoft.com
On Thu, Oct 8, 2015 at 3:08 PM, Ted Guild <ted@w3.org> wrote:

> Here is an update of internal discussions and how the WG can help.
>

Thanks, Ted!


> Given how few browsers currently support this and Firefox 42 will in
> early November, we are inclined to wait a little longer as it gives us
> two browser implementations on every major OS.


It's not entirely clear to me how the landscape will change after Firefox
ships. You'll be faced with browsers that support the feature, and browsers
that don't. The fact that the one group gets larger and the other gets
smaller doesn't change that you'll need to support both, as I noted in the
email you quoted at the bottom of your reply.

The spec provides mechanisms for you to make server-side decisions about
which group the user who's currently browsing your site falls into. I don't
understand why that doesn't satisfy your need.

We are encouraging other browser vendors to implement this and would
> like the WG to as well.  Do you have any additional feedback or
> knowledge of browser support timelines you could share with us?
>

Apple isn't a member of the working group, and hasn't been responsive to my
inquiries. I'd encourage folks to ask. :)

As far as Microsoft goes, I'll defer to Crispin and Rob (CC'd), who might
have more detailed information than is available on
https://dev.modern.ie/platform/status/upgradeinsecureresourcerequests/.


> W3C has never previously pushed the envelope on adopting standards on
> its site that would degrade the experience for some UA.


How does this migration "degrade the experience for some UA"? Does the
signaling header not give you enough detail to know when a user agent can
be upgraded, and when it can't?

No specific date set yet but likely November.  Deployment timing can
> also be influenced to coordinate with other sites.
>

Would it be possible to redirect particular resources before November?
Every spec this group has published in TR space, for example? :) Those
resources can be upgraded for all users without mixed content issues.

Brad we would like to at least cite your writeup in an article we will
> write to promote this.  It explains the HTTPS upgrade conundrum for site
> operators very well and would welcome your and other WG input.
>
> http://webappsec-test.info/~bhill2/DifferentTakeOnOE.html
>
> > Can you help me understand your expectations around HSTS and
> > `upgrade-insecure-requests`? In particular, it's not at all clear to
> me
> > what was happening in Firefox that wasn't happening in other browsers
> that
> > don't support the header (which, presumably, you also want to support
> on
> > the website).
>
> --
> Ted Guild <ted@w3.org>
> W3C Systems Team
> http://www.w3.org
>

Thanks again!

-mike
Received on Thursday, 8 October 2015 13:31:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:52 UTC