Re: Testing W3C's HTTPS setup

(Also, while I'm bothering y'all about encryption, have you considered
opening the secure variant of `irc.w3c.org` up to the public? The server
helpfully explains that W3C Team members can "... join the secure server on
irc.w3.org:6697, using [their] web credentials". It would be lovely if
others could do the same. :) )

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Mon, Sep 14, 2015 at 3:02 PM, Mike West <mkwst@google.com> wrote:

> Hi Wendy, Jose!
>
> Ping. :) How have the tests been going over the last ~2 months? Any update
> on this work?
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Fri, Jul 10, 2015 at 7:01 PM, Wendy Seltzer <wseltzer@w3.org> wrote:
>
>> Hi WebAppSec,
>>
>> Thanks to Jose and the W3C Systems team, as well as to WebAppSec for
>> development of specs to help the upgrade process, we now have a test
>> instance for HTTPS on the W3C websites.
>>
>> Please see Jose's email below for information about the setup. Because
>> this is an initial test, please don't overwhelm the server by sharing
>> this information widely yet. We look forward to feedback and discussion
>> at the WebAppSec F2F next week and online, so that W3C can roll out a
>> secured website more broadly.
>>
>> Thanks,
>> --Wendy
>>
>> ----------------------------------------
>> The Systems Team set up a test server for testing https, hsts,
>> and csp against www.w3.org web servers.
>>
>> Please don't tweet or announce this server so that we may keep its
>> audience limited. We do not want to advertise this. See Section 3.
>>
>> The test server is equivalent to our production server setup but it's
>> sending back those headers and has disabled the automatic switch to
>> http for public resources. We accept both http and https requests for
>> public resources but enforce a switch to https for protected
>> resources. We're striving to make this server as close in content and
>> setup as that of our production web server.
>>
>> This is a preview of what we're planning to deploy after the summer
>> break, once extensive testing and some internal discussions about how
>> to refer to references (e.g. namespaces, dtd's) are done.
>>
>> These are the headers that are being sent if the connection is HTTPS:
>>
>>   Strict-Transport-Security: max-age=86400; includeSubdomains; preload
>>   Content-Security-Policy: upgrade-insecure-requests
>>
>> As this is a test instance, the HSTS max-age is limited to one day. We can
>> reduce it if people want it.  I'm not sure if we want to add a more
>> restricted CSP.
>>
>> Among the feedback we're looking for are URLs that result in infinite
>> loops
>> (switching between http and https) that we may have missed, as well as
>> mixed-content warnings if you're using the alias access configuration.
>>
>> 1. Accessing the test server
>> ----------------------------
>>
>> N.B. Be sure you read Section 2. How to clear the HSTS settings in
>> your browser before you start testing.
>>
>> * Direct access
>>
>> Change the server from www.w3.org to www-test.w3.org,
>> e.g. https://www-test.w3.org/. This will work with all relative URLs
>> in the server.
>>
>> You should expect to get more mixed ocntent warnings with this kind of
>> test due to absolute URLs in some of our resources.
>>
>> * Alias access
>>
>> If you know how to do this, change your /etc/hosts so that your
>> www.w3.org requests are handled by www-test.w3.org:
>>
>> [[
>> # www-test.w3.org
>> 128.30.52.122   www.w3.org     www.w3.org
>> ]]
>>
>> This strategy will make all requests to www.w3.org be served by
>> www-test.w3.org. It will work even with absolute URLs and gives you
>> the best preview of the secure setup.
>>
>> 2. How to clear the HSTS settings in your browser
>> -------------------------------------------------
>>
>> If you're using www-test.w3.org as an alias for www.w3.org, the hsts
>> header will be persist even if you clear that alias. You'll need to
>> reset your browser. Here is how to do this for some browsers. For
>> those not shown here, make sure you know how to disable it before
>> attempting an alias setup.
>>
>> * Firefox:
>>   History -> Clear Recent History -> Site Preference
>>
>> * Chrome / Opera:
>>   go to: chrome://net-internals/#hsts
>>   Under the "Delete domain" section type in the Domain field
>>   "www.w3.org" and click on the "Delete" button.
>>
>> If you forget to reset your browser and delete the alias, it will get
>> stuck into infinite loops switching between http and https for some
>> public resources, resulting in your IP@ being temporarily banned from
>> accessing the w3c site. If this is the case, reset your browser, then
>> mail sysreq@w3.org citing the context, giving your IP@ and ask to
>> reset it from our access filter.
>>
>> 3. Disclaimer
>> -------------
>>
>> www-test.w3.org is only a test server. We try to make it work as a
>> production one but it may have inconsistent content or be down without
>> warning. We will shut this server down when the test period is
>> completed or if it gets too much traffic. Be careful as links
>> pointing to it (https?://www-test.w3.org/.*) will be broken at that
>> time. If you're testing it and it goes offline, please mail
>> sysreq@w3.org for further info and ask when it will become
>> available again.
>>
>>
>>
>>
>