New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Link Breakage: Address that moving to HTTPS URLs breaks links wholesale #11
Comments
|
Client libraries can and should try https whenever http requests fail. However, having clients use http when https is asked for ought to be forbidden. Happily, it encourages servers to make the switch. |
@timbl I'm a bit confused here. Everyone I've seen who's transitioned to HTTPS in the past several years has properly 301 redirected from http:// to https://. Could you elaborate on what you mean by link-breaking? Are you seeing lots of organizations not 301 redirecting? |
also Strict Transport Security. |
This is precisely what |
301 doesn't work well here because it allows UAs to rewrite POST to GET when following the redirect. 308 might work though. |
Developing HTTP server that produces and consumes RDF resources, and performing authentication over TLS, I've found the extra Particularly, my HTTP server uses http: URIs internally (for production of new URIs, but more importantly, the database of historical ones), and it will answer queries in the form of If the HTTP server is accepting queries in plaintext, that could result in an unacceptable leaking of sensitive information from clients. And some resources just can't be renamed, so a 3xx redirect doesn't really solve any problem (if I recall, Firefox will flag the page if any request in a sequence of redirects is non-secure, even if the final page by itself is, shouldn't this be noted/considered?). For applications that require long-lived identifiers, particularly http: identifiers, there really needs to be some way to say "http:, but over TLS." Even if for non-browser user-agents. It doesn't seem like HSTS quite does this, though that seems to be the closest solution. |
This is false; please don't spread misinformation. |
@domenic: that might be true if by "flag" OP means "trigger mixed content warning/blocking" (when a fetched subresource is redirected). Both chrome and Firefox's active mixed content blocker fire before an http resource can be redirected to https; not sure if the passive mixed content warnings work similarly. But in any case, this is irrelevant to links, which don't trigger mixed content blocking. |
@domenic https://bugzilla.mozilla.org/show_bug.cgi?id=418354 I know this is correct because I just had to fix that bug in an application! Customers were being sent first to a legacy application that didn't go through a secure origin. I suggest trying it yourself. |
Yes, I didn't realize you were actually including insecure resources in your page; if that's the case it's certainly mixed content as usual. |
On 2014-12 -26, at 15:18, Thaddee Tyl notifications@github.com wrote:
But what about web sites where the port 443 site is completely different site form the port 80 site?
|
On 2014-12 -26, at 19:50, Yehuda Katz notifications@github.com wrote:
They apply to one URI only.
|
That's HSTS, I think. |
BTW, right now when I type a hostname into a browser without a scheme, it defaults to HTTP -- an interesting discussion could be had about if and when it should ever default to HTTPS. That's in-scope for WebAppSec, but probably not this doc. |
HSTS kicks in after the first redirect + proper response header for an https retrieval. There is a need for the first hit. (DNS was a possibility, but exporting too much metadata at that level is also an issue) |
Can you expand upon "need"? Is it just round trips you're looking to avoid, or...? Considering that HSTS is cached -- usually for a very long time -- I suspect it's going to have appreciably better performance without trading off security (acknowledging that HSTS isn't perfect there). |
Well, to avoid the first redirect, so the first unencrypted communication to the server. Even if everything after that will be encrypted (and that choice will be cached usually for monthes), the first hit might be revealing. |
On 2015-01 -03, at 16:54, Mark Nottingham notifications@github.com wrote:
Never say "just" before "round trips" :-) In the 1980s one Brian Carpenter was a thought leader in terms of of protocols at CERN and told me memorably that only two things matter when it comes to network protocol performance, the time taken to copy the message, and the number of round trips. Nowadays I guess the two most important things are round trips and round trips ... That's why I would like to see tables of round trip counts for all the options. Can someone please write this down from a knowledge of the protocols, or do we have to measure it with wire shark or something?!
The time it takes when you first use a given source or data is also important, a separate variable from the time you take on subsequent uses. e.g. Suppose a viral social app had a very long first use time to first byte,that would likely decrease its likelihood of spreading virally as new users would follow another link while it loaded, and be lost. I agree that the thing to optimize may be mainly subsequent uses, but one should not ignore first use completely. timbl director hat off
|
I think this is addressed in current text. Tim, if you have a concern, please reopen. |
The disappearance of web material and the rotting of links is itself a major problem. This finding currently encouraging the wholesale breaking of links by moving from http: to https: , perhaps doing more damage to the web than any other change in its history.
The TAG can't publish this finding without addressing this issue. Things which need to be discussed could include
etc
Search engines which trawl the whole web s and not s anyway will be able to figure out easily where the s makes no difference, but general application code and libraries won't unless it is codified.
The text was updated successfully, but these errors were encountered: