Re: Testing W3C's HTTPS setup from Mike West on 2015-09-14 (public-webappsec@w3.org from September 2015)

From: Mike West <mkwst@google.com>
Date: Mon, 14 Sep 2015 15:02:21 +0200
To: Wendy Seltzer <wseltzer@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Jose Kahan <jose.kahan@w3.org>
Message-ID: <CAKXHy=f=zgU5PRcWDY1vWEAFVRYoG9KsW9bKy2XGnDRiUr219A@mail.gmail.com>
Hi Wendy, Jose!

Ping. :) How have the tests been going over the last ~2 months? Any update
on this work?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Jul 10, 2015 at 7:01 PM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi WebAppSec,
>
> Thanks to Jose and the W3C Systems team, as well as to WebAppSec for
> development of specs to help the upgrade process, we now have a test
> instance for HTTPS on the W3C websites.
>
> Please see Jose's email below for information about the setup. Because
> this is an initial test, please don't overwhelm the server by sharing
> this information widely yet. We look forward to feedback and discussion
> at the WebAppSec F2F next week and online, so that W3C can roll out a
> secured website more broadly.
>
> Thanks,
> --Wendy
>
> ----------------------------------------
> The Systems Team set up a test server for testing https, hsts,
> and csp against www.w3.org web servers.
>
> Please don't tweet or announce this server so that we may keep its
> audience limited. We do not want to advertise this. See Section 3.
>
> The test server is equivalent to our production server setup but it's
> sending back those headers and has disabled the automatic switch to
> http for public resources. We accept both http and https requests for
> public resources but enforce a switch to https for protected
> resources. We're striving to make this server as close in content and
> setup as that of our production web server.
>
> This is a preview of what we're planning to deploy after the summer
> break, once extensive testing and some internal discussions about how
> to refer to references (e.g. namespaces, dtd's) are done.
>
> These are the headers that are being sent if the connection is HTTPS:
>
>   Strict-Transport-Security: max-age=86400; includeSubdomains; preload
>   Content-Security-Policy: upgrade-insecure-requests
>
> As this is a test instance, the HSTS max-age is limited to one day. We can
> reduce it if people want it.  I'm not sure if we want to add a more
> restricted CSP.
>
> Among the feedback we're looking for are URLs that result in infinite loops
> (switching between http and https) that we may have missed, as well as
> mixed-content warnings if you're using the alias access configuration.
>
> 1. Accessing the test server
> ----------------------------
>
> N.B. Be sure you read Section 2. How to clear the HSTS settings in
> your browser before you start testing.
>
> * Direct access
>
> Change the server from www.w3.org to www-test.w3.org,
> e.g. https://www-test.w3.org/. This will work with all relative URLs
> in the server.
>
> You should expect to get more mixed ocntent warnings with this kind of
> test due to absolute URLs in some of our resources.
>
> * Alias access
>
> If you know how to do this, change your /etc/hosts so that your
> www.w3.org requests are handled by www-test.w3.org:
>
> [[
> # www-test.w3.org
> 128.30.52.122   www.w3.org     www.w3.org
> ]]
>
> This strategy will make all requests to www.w3.org be served by
> www-test.w3.org. It will work even with absolute URLs and gives you
> the best preview of the secure setup.
>
> 2. How to clear the HSTS settings in your browser
> -------------------------------------------------
>
> If you're using www-test.w3.org as an alias for www.w3.org, the hsts
> header will be persist even if you clear that alias. You'll need to
> reset your browser. Here is how to do this for some browsers. For
> those not shown here, make sure you know how to disable it before
> attempting an alias setup.
>
> * Firefox:
>   History -> Clear Recent History -> Site Preference
>
> * Chrome / Opera:
>   go to: chrome://net-internals/#hsts
>   Under the "Delete domain" section type in the Domain field
>   "www.w3.org" and click on the "Delete" button.
>
> If you forget to reset your browser and delete the alias, it will get
> stuck into infinite loops switching between http and https for some
> public resources, resulting in your IP@ being temporarily banned from
> accessing the w3c site. If this is the case, reset your browser, then
> mail sysreq@w3.org citing the context, giving your IP@ and ask to
> reset it from our access filter.
>
> 3. Disclaimer
> -------------
>
> www-test.w3.org is only a test server. We try to make it work as a
> production one but it may have inconsistent content or be down without
> warning. We will shut this server down when the test period is
> completed or if it gets too much traffic. Be careful as links
> pointing to it (https?://www-test.w3.org/.*) will be broken at that
> time. If you're testing it and it goes offline, please mail
> sysreq@w3.org for further info and ask when it will become
> available again.
>
>
>
>
Received on Monday, 14 September 2015 13:03:14 UTC