W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

Re: [UPGRADE] upgrade-insecure-request-with-fallback

From: Peter Eckersley <pde@eff.org>
Date: Thu, 2 Jun 2016 16:29:32 -0700
To: Tanvi Vyas <tanvi@mozilla.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>, Mike West <mkwst@google.com>, Richard Barnes <rbarnes@mozilla.com>, Christoph Kerschbaumer <ckerschbaumer@mozilla.com>, "dveditz@mozilla.com" <dveditz@mozilla.com>
Message-ID: <20160602232932.GJ3142@eff.org>
On Wed, Jun 01, 2016 at 02:56:42PM -0700, Tanvi Vyas wrote:
> upgrade-insecure-requests is a great way for sites to upgrade their
> subresources to https without having to change hardcoded http links.
> upgrade-insecure-requests provides a guarantee that no mixed content will
> load and degrade the security UI of a site.  In cases where an http
> subresource cannot be loaded over https, the subresource will simply fail to
> load and any functionality that it provided will be broken.  Some sites may
> appreciate this property and want assurances that third party content can't
> degrade the security of their site.  Others may feel that they can't afford
> to have potentially broken functionality.  Or they may know of a single,
> important subresource that isn't available over https and not want to spend
> the time and effort to upgrade the rest of their http links to https.  This
> would prevent those sites from using upgrade-insecure-requests.
> 
> I propose we add an upgrade-insecure-request-with-fallback option for sites
> and services that can't afford to break functionality but want the potential
> for increased security.  This fallback option can be either a separate
> directive or an attribute on upgrade-insecure-request.  We will have to be
> careful to ensure that we don't break backwards compatibility with sites
> that already set upgrade-insecure-requests and expect it not to fallback.
> Sites and services that opt into upgrade-insecure-request-with-fallback
> should be aware that they may have slightly decreased performance, because
> in the fallback case there will be two roundtrips for the same subresource.

There are really two versions of the above that could make sense.  One is
fallback for all subresources; the other is fallback for passive mixed content
only.

I think it would be a huge win to offer fallback for passive mixed content as
a UIR variant, and it's something we've really been wanting for Certbot.
Fallback for active mixed content might also make sense (as a separate
directive from servers) and be a win but I expect we'll have to talk a lot
more about how to ensure that doesn't become a source of security holes, and
what the UI would look like.

The case for passive mixed content fallback is simple: if
upgrade-insecure-requests works in that mode, then it is unambiguously
non-breaking to turn it on.  At present, upgrade-insecure-requests unbreaks
some script mixed content, and improves the security of some image loads,
while also breaking some other image loads.  As a result, it can only be set
if a careful site-specific analysis of the consequences has been made.  If a
passive-mixed-fallback mode existed, we would likely start setting it for the
~100,000 domains that currently use Certbot with an installer and request help
in redirecting traffic from HTTP to HTTPS.  I suspect this might also be of
use to platforms like Cloudflare or Wordpress.com that are trying to HTTPSify
millions of domains where they don't fully control the underlying web
application or HTML.

The case for an active-content fallback seems more subtle: we know that mixed
content blocking has made HTTPS much harder to deploy, and there are *some*
sites where we'd probably rather have an imperfect deployment for content
confidentiality vs surveillaince, than no deployment at all. This stronger
form of fallback is pretty comparable to the "opportunistic encryption"
proposals that have been discussed at length, and would have to come with
strong incentives to make it a temporary arrangement. Those could include some
visible UI degradation, an instant F grade on Qualy's SSL Labs scorecard. Or
something more creative, like a requirement that CSP report-only mode for
mixed content be enabled at the same time, so the site has to learn about how
to start fixing its mixed content before enabling this comparatively insecure
option.

-- 
Peter Eckersley                            pde@eff.org
Chief Computer Scientist          Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993
Received on Thursday, 2 June 2016 23:29:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC