Re: HTTPS at W3C. from Ted Guild on 2014-11-17 (www-tag@w3.org from November 2014)

From: Ted Guild <ted@w3.org>
Date: Mon, 17 Nov 2014 13:13:29 -0500
To: "SULLIVAN, BRYAN L" <bs3131@att.com>
Cc: 'Daniel Appelquist' <appelquist@gmail.com>, TAG List <www-tag@w3.org>, Wendy Seltzer <wseltzer@w3.org>, Brad Hill <hillbrad@gmail.com>, Mike West <mkwst@google.com>
Message-ID: <1416248009.3002.589.camel@pero>

I have intended to write up a longer public explanation of why we
haven't deployed HTTPS universally at W3C.  In the mean time a short
version:

* Presently we force requests that require authentication or are deemed
sensitive by ACLs to go through HTTPS URIs.  I've seen some in past
www-tag thread argue on using SSL as warranted instead of a blanket on
all traffic.  This is an example of such a practice.

* We have millions (literally) of static resources with absolute URIs
that would need to be modified.  Besides the sheer amount of work, some
but not all doable automatically, there is also policies against
modifying specifications for instance.

* HSTS seemed promising at transitioning those like us with large bodies
of content that would be extremely onerous to modify.  It is not
deployed and behaving consistently in all major browsers (as we last
checked a few months ago).

* Mixed content warning algorithms are based on the page as it is
retrieved and not as it is served. So even with HSTS and us redirecting
all HTTP to the corresponding HTTPS our users will get inundated with
mixed content warnings.  These are typically interpreted by users as
glaring issues, will deter them from using W3C site and plague us with
issue reports.  Several major vendors have bugs reported on precisely
this situation.  After these bugs are fixed, those using legacy browsers
are still subject to it.

* W3C Specifications have advertised HTTP URIs of things intended to be
machine readable, eg DTD, other schemata, name spaces and also things
like RSS feeds.  We have a rather significant amount of machine traffic
for these resources and a question for the TAG is whether W3C should
change the protocol out from under them?  This will undoubtedly break
quite a few services, deployed libraries and software from quite a few
organizations.

http://www.w3.org/blog/systeam/2008/02/08/w3c_s_excessive_dtd_traffic/

> Very much in agreement and this also lines up with the TAG’s recent
> rumination on secure origins and general securing of the web (against
> pervasive monitoring among other threats). I believe there is some
> ongoing work on this in the W3C systems team - maybe Ted could
> comment?


-- 
Ted Guild <ted@w3.org>
W3C Systems Team
http://www.w3.org

Received on Monday, 17 November 2014 18:13:49 UTC