Closed christhompson closed 10 months ago
Looks good, however I see potential issues:
In local networks, having http
instead of https
for some servers that don't have (or want to have) access to the internet is more common, if the host name resolves to a local network, should the speculative upgrade happen in that case?
Also, could there be a http response header put on https-served site to indicate that content on http is not the same and not redirect to https? (ie: to signal that https update should not be done optimistically)
We've considered ways that we might avoid unnecessary upgrades for local networks (potentially building on top of some of the work that Private Network Access is doing). For now we settled on giving fairly open UA carveouts for exemptions in the spec itself -- Chrome's implementation is using this to exempt non-unique hostnames which we know can't get publicly trusted TLS certificates. For unique hostnames, there are many cases where these do have trusted TLS certificates despite resolving to local network addresses (e.g., the Plex model). On balance, because HTTPS-Upgrades will silently fallback to HTTP if the HTTPS request fails, this might add a small latency to some local network requests but should not cause breakage.
(For Chrome's "HTTPS-First Mode", which shows a full page warning to the user before falling back to HTTP, we are working on ways that we might reduce this warning burden on users for local network requests, but this is still WIP.)
Regarding a HTTP response header: We considered this when we were first proposing HTTPS-Upgrades but decided against it. An "opt-out" header is roughly equivalent to the site serving an HTTP downgrade redirect or just rejecting the HTTPS request (not responding on HTTPS or sending a reset) -- both will trigger the automatic fallback to HTTP. For sites that explicitly don't support HTTPS, we would recommend they serve a downgrade redirect. For the long-tail of sites that won't modify their configs, the new header wouldn't help.
Following up here to check if there are any other concerns or questions from TAG regarding this feature.
Is there any possibility of deleting HTTPS-Upgrades
FLAG?
@jeon3029 you might want to chime in on the blink-dev thread. https://groups.google.com/a/chromium.org/g/blink-dev/c/cAS525en8XE
Regarding a HTTP response header: We considered this when we were first proposing HTTPS-Upgrades but decided against it. An "opt-out" header is roughly equivalent to the site serving an HTTP downgrade redirect or just rejecting the HTTPS request (not responding on HTTPS or sending a reset) -- both will trigger the automatic fallback to HTTP. For sites that explicitly don't support HTTPS, we would recommend they serve a downgrade redirect. For the long-tail of sites that won't modify their configs, the new header wouldn't help.
I don't see this as an opt-out, more an indication that content served through https
and http
are not the same, so that if an optimistic upgrade to https
is done, the browser is aware that it's not the same content.
Also it is not a downgrade (as there is no redirect involved)
For sites that don't support https
well, then optimistic upgrade shouldn't work, no redirect to http
(as in that case it means they support it), unless by don't support you mean have broken configuration, like widely outdated cert, or self-signed one.
We discussed this during our breakout, and agree that in general it is a good direction (in line with our Secure the Web finding). We expressed our observations but it is not blocking. We also suggest that you ask the IETF http-wg for review. Thanks!
こんにちは TAG-さん!
I'm requesting a TAG review of HTTPS Upgrades.
Browsers may still make insecure HTTP requests to HTTPS-enabled sites, unnecessarily exposing data over unencrypted connections. Some browsers ship with lists of sites that are known to support HTTPS, beyond those already in the HSTS preload list. Maintaining such a list is opaque, as it requires web crawler data, and error prone, as it will necessarily be out of date by the time it is shipped to users. It can also be bandwidth intensive, containing thousands or millions of sites that need to be updated. HTTPS Upgrades proposes that the browser should automatically and optimistically upgrade all main-frame HTTP navigations to HTTPS, with fast fallback to HTTP.
Further details:
You should also know that...
This feature is implemented and can be tested in Chrome Canary/Dev/Beta by enabling chrome://flags#https-upgrades. It uses the same underlying code as Chrome's "HTTPS-First Mode" which can be enabled in chrome://settings/security by toggling the "Always use secure connections" setting.
We'd prefer the TAG provide feedback as:
💬 leave review feedback as a comment in this issue and @-notify @christhompson and @dadrian