W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: Testing W3C's HTTPS setup

From: Alex Russell <slightlyoff@google.com>
Date: Tue, 22 Sep 2015 14:24:37 -0700
Message-ID: <CANr5HFUhEyaP8O+W786O++1KWRwpJg4HM1canPR1kr8FSf1CKg@mail.gmail.com>
To: Eric Mill <eric@konklone.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, Mike West <mkwst@google.com>, Jose Kahan <jose.kahan@w3.org>, Wendy Seltzer <wseltzer@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Sep 21, 2015 at 10:53 AM, Eric Mill <eric@konklone.com> wrote:

>
> On Mon, Sep 21, 2015 at 1:33 PM, Richard Barnes <rbarnes@mozilla.com>
> wrote:
>
>>
>>
>> On Mon, Sep 21, 2015 at 1:29 PM, Anne van Kesteren <annevk@annevk.nl>
>> wrote:
>>
>>> On Mon, Sep 21, 2015 at 2:06 PM, Mike West <mkwst@google.com> wrote:
>>> > On Mon, Sep 21, 2015 at 1:48 PM, Jose Kahan <jose.kahan@w3.org> wrote:
>>> >> We need a solution that will allow to assume all content is https,
>>> >> in perpetuity, without needing to upgrade all legacy content.
>>> >
>>> > That seems like an unfortunate design decision. I hope you'll change
>>> your
>>> > mind over time. :)
>>>
>>> Why?
>>>
>>> The header makes the two types of content identical. User agents not
>>> implementing the header will be considered broken in due course, just
>>> like user agents not supporting the Host header are today.
>>>
>>> I really don't think we should give folks the impression that one is
>>> better than the other long term, or worse, that the header might go
>>> away. That just harms adoption.
>>>
>>
>> +1
>>
>> Once we're in a world where we can apply a "universal HSTS" policy,
>> there's no reason to continue hating on "http:" URIs.
>>
>
> Sure, but that world is a long ways away, much longer than the W3C should
> wait to start demonstrating leadership with HTTPS/HSTS on w3.org.
>

Can't +1 this hard enough.
Received on Tuesday, 22 September 2015 21:25:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC