W3C home > Mailing lists > Public > semantic-web@w3.org > August 2014

Re: The ability to automatically upgrade a reference to HTTPS from HTTP

From: Michael Brunnbauer <brunni@netestate.de>
Date: Sun, 24 Aug 2014 02:32:32 +0200
To: Tim Berners-Lee <timbl@w3.org>
Cc: Public TAG List <www-tag@w3.org>, SW-forum Web <semantic-web@w3.org>
Message-ID: <20140824003232.GA32028@netestate.de>

Hello Tim,

>I'm not sure I understand your argument.
>That's fine if they have the same content for http and https

It boils down to Roy Fielding's argument that there has never been any shared
authority between a site on port 80 and a site on 443 - which is solidified 
in Apache configuration: You classically configure both sites separately and
I think today there is still no way to avoid that.

So if an administrator has 10 HTTP/1.1 sites on the same IP and wants
to add a https version of one of those sites, what does he do? Will he
create a SSL version for every site in the configuration although all but
one of them will be useless and lead to a certificate error? Of course not.

So 9 of the 10 sites will not have the same content for http and https
(and yield a common name mismatch).

You may argue that agents could check if the certificate common name
matches the hostname but this does not seem feasible for the whole range of
agents to me and mixes things that maybe should be kept apart. How many 
current SSL libraries will still throw an error at the common name mismatch 
if certificates from unknown authorities are allowed?

What if the administrator only wants to secure a form or a shop checkout
and does not bother to copy the whole site configuration for http into
the https version? 10 of the 10 sites will not have the same content for http
and https.

>I am just saying that if 
>https://foo.com/bar  and http://foo.com/bar both exist, then they should be able to use the content of the https://foo.com/bar page when I am looking for the http://foo.com/bar page.

Would this also apply for 40x errors? That would enable any website A to break
another website B that has different content on http and https: Just
include some inline https URLs from B that 404 but are present and
needed in the http version.

What you are saying can also become something different in practice.
Developers may assume that the other way round is also OK. Hugh Glaser has
brought up the nearby idea of owl:sameAs for http and https, etc.

>Well, there is a massive movement for HTTPS everywhere.  That is happening now anyway.  So websites in general are being pushed to move into https.

https://webfoundation.org/2014/08/world-wide-web-foundation-warns-google-https-policy-could-create-unequal-web/

Regards,

Michael Brunnbauer

-- 
++  Michael Brunnbauer
++  netEstate GmbH
++  Geisenhausener Straße 11a
++  81379 München
++  Tel +49 89 32 19 77 80
++  Fax +49 89 32 19 77 89 
++  E-Mail brunni@netestate.de
++  http://www.netestate.de/
++
++  Sitz: München, HRB Nr.142452 (Handelsregister B München)
++  USt-IdNr. DE221033342
++  Geschäftsführer: Michael Brunnbauer, Franz Brunnbauer
++  Prokurist: Dipl. Kfm. (Univ.) Markus Hendel

Received on Sunday, 24 August 2014 00:32:55 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 08:45:38 UTC