W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2016

Re: [UPGRADE] upgrade-insecure-request-with-fallback

From: Brad Hill <hillbrad@gmail.com>
Date: Tue, 12 Jul 2016 20:42:42 +0000
Message-ID: <CAEeYn8ixdbaoqRB89OdN63eu49Ws4_1YuPix3TYq=5W=kS3s0g@mail.gmail.com>
To: Peter Eckersley <pde@eff.org>
Cc: Chris Palmer <palmer@google.com>, Tanvi Vyas <tanvi@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Richard Barnes <rbarnes@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>
I understand the value; I guess I would leave it up to UA implementers.  We
currently have implementations in Chrome, Firefox and Safari.  Would those
implementers be interested in adding a mode with fallback?  On what
timeline?  Should we try to do this before moving Upgrade Insecure Requests
to Proposed Recommendation?

On Wed, Jul 6, 2016 at 7:15 PM Peter Eckersley <pde@eff.org> wrote:

> On Fri, Jul 01, 2016 at 07:41:14PM +0000, Brad Hill wrote:
> > I agree it creates no new vulnerabilities, but I question the benefits.
> >
> > Yes, user agents do and will continue to block insecure scripts.  This is
> > exactly the crux. If you got a new cert for your http site that depends
> on
> > external scripts to render important user experiences, make buttons
> click,
> > or just measure the ads that pay to keep you in business, you can't start
> > sending users to the https version yet if those scripts don't upgrade.
> > This is why I think that it's not realistic to think that Certbot could
> > just start flipping the switch automatically.  Modern web apps depend
> > deeply on scripts and things will break.
>
> There are few possible switches here: (1) enable existing UIR, (2) enable
> an
> HTTP -> HTTPS redirect (3) enable UIR-FB-passive-mixed-content-only (4)
> enable
> UIR-FB-all-mixed-content (5) enable CSP reporting to
> https://report-uri.io or some similar service.
>
> Currently we offer switches (1) and (2).  We'd like to flip (1) by default,
> but cannot because it breaks HTTP images on some HTTPS pages that would
> otherwise work fine (but trigger Chrome's triangle warning).  If (3)
> existed,
> we could and would flip it safely as the default for Certbot users who ask
> for
> security settings automation.
>
> We still couldn't and wouldn't flip (2) by default.  And we wouldn't flip
> (4)
> by default, but it would be nice to be able to offer it as a prominent
> feature, especially in the form of a single switch that combines (2) (4)
> and
> (5) together (conditional on the client UA being new enough to support
> (4)).
>
>
>
> >
> > Certainly there is some population of sites that could benefit from
> > UIR-FB.  If the cost to implement is very cheap, let's do it.  If it's
> not,
> > we should try to understand a bit how big that population is.
> >
> > On Fri, Jul 1, 2016 at 11:59 AM Chris Palmer <palmer@google.com> wrote:
> >
> > > I'm less concerned about non-secure script in an otherwise-secure page,
> > > because good UAs block it outright anyway. Point your favorite browser
> at
> > > https://mixed-script.badssl.com/, for example. Desktop Firefox and
> Chrome
> > > refuse to load the non-secure script, but have an option to let the
> person
> > > load it anyway (with suitably frightening messaging); Safari and
> Chrome for
> > > iOS, and it seems Safari for desktop, don't even have that option. IE
> makes
> > > it a bit too easy to load the non-secure script for my tastes, but
> even so
> > > it's safe by default. And most browsers do still distinguish
> fully-secure
> > > page-loads from those that have some mixed display content.
> > >
> > > So, assuming a good UA, UIR-FB seems to be much more of a win for HTTPS
> > > deployment than a safety risk.
> > >
> > > My boundless optimism ;) allows me to hope that the slowness of the 2
> > > round-trips (as Tanvi mentioned) would be incentive enough for
> > > some/many/most site operators to use UIR-FB only as a temporary aid
> and not
> > > a permanent mode of deployment. Surely, some will leave it permanent,
> so
> > > we'd still have to do all the usual outreach and evangelism.
> > >
> > > I don't relish latency, evangelism, or complexity, but I don't see that
> > > UIR-FB creates a new vulnerability, and the benefits could be
> substantial.
> > >
>
> --
> Peter Eckersley                            pde@eff.org
> Chief Computer Scientist          Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
>
Received on Tuesday, 12 July 2016 20:43:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC