So, to be clear, the W3C is going to avoid sending any confidential information, either in response bodies or in cookies, over non-secure connections? (I’m sure the W3C knows what they’re doing but I’m paranoid.)<br><br>Do W3C login pages always have the same URL? If not, can this be implemented (with any additional data sent via a POST request)? That way, the user can easily save this URL and check future URLs against it, to prevent SSL sniffing. This is particularly easy using Firefox’s bookmarks feature.<br>
<br><div class="gmail_quote">On Mon, May 16, 2011 at 1632 (UTC-8), Peter Eckersley <span dir="ltr"><<a href="mailto:pde@eff.org" target="_blank">pde@eff.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
[snip]<br>
<br>
----- Forwarded message from Ted Guild <<a href="mailto:ted@w3.org" target="_blank">ted@w3.org</a>> -----<br>
<br>
Date: Sun, 15 May 2011 15:54:27 +0200<br>
From: Ted Guild <<a href="mailto:ted@w3.org" target="_blank">ted@w3.org</a>><br>
To: Peter Eckersley <<a href="mailto:pde@eff.org" target="_blank">pde@eff.org</a>><br>
Cc: Jose Kahan <<a href="mailto:jose.kahan@w3.org" target="_blank">jose.kahan@w3.org</a>>, w3t-archive <<a href="mailto:w3t-archive@w3.org" target="_blank">w3t-archive@w3.org</a>>,<br>
<a href="mailto:information@eff.org" target="_blank">information@eff.org</a><br>
Subject: Exception to HTTPs Everywhere<br>
X-Mailer: Evolution 2.32.2<br>
<br>
Peter,<br>
<br>
We are getting ready to deploy selective SSL switching at W3C. Whenever<br>
credentials are required or content is intended to be confidential our<br>
access control system will automatically redirect the user to the<br>
corresponding HTTPS uri. Any content that is open to the public and<br>
doesn't send session data will be served via HTTP, redirecting to HTTP<br>
if the user accesses a HTTPS link (eg following a relative link).<br>
<br>
While many sites send information they shouldn't in the clear, we are<br>
going to apply SSL correctly. We get an excessive amount of traffic (up<br>
to 1/2 billion per day for DTD and schemata alone) and would rather not<br>
have to serve content more costly through SSL than we have to. As such<br>
please add <a href="http://w3.org" target="_blank">w3.org</a> to an exception list so that HTTPs Everywhere does not<br>
compete with our server side redirection.<br>
<br>
We are already finding issues with our SSL switching scheme and<br>
unintended traffic from HTTPs Everywhere before we put this SSL<br>
switching into full production.<br>
<br>
Regards,<br>
<br>
--<br>
Ted Guild <<a href="mailto:ted@w3.org" target="_blank">ted@w3.org</a>><br>
W3C Systems Team<br>
<a href="http://www.w3.org" target="_blank">http://www.w3.org</a><br>
<br>
<br>
<br>
----- End forwarded message -----<br>
<font color="#888888"><br>
[snip]<a href="tel:%2B1%20415%20436%209993" value="+14154369993" target="_blank"></a><br>
</font></blockquote></div><br>--<br>Brian Drake<br><br>Alternate (slightly less secure) e-mail: <a href="mailto:brian@drakefamily.tk" target="_blank">brian@drakefamily.tk</a><br>Alternate (old) e-mail: <a href="mailto:brianriab@gmail.com" target="_blank">brianriab@gmail.com</a><br>
<br>Facebook profile: <a href="https://ssl.facebook.com/profile.php?id=100001669405117" target="_blank">Profile ID 100001669405117</a><br>
Twitter username: <a href="https://twitter.com/BrianJDrake" target="_blank">BrianJDrake</a><br>Wikimedia project username: <a href="https://secure.wikimedia.org/wikipedia/meta/wiki/User:Brianjd" target="_blank">Brianjd</a> (been inactive for a while)<br>
<br>All content created by me <a href="http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html" target="_blank">Copyright</a> © 2010–2011 Brian Drake. All rights reserved.<br>