[HTTPS-Everywhere] HTTPS Everywhere is unscalable (uses central database)

Seth David Schoen schoen at eff.org
Fri Apr 29 10:25:32 PDT 2011 

Phil Vandry writes:

> In fact, HTTPS Everywhere could be piggybacked on DNS, couldn't it?
> To determine the HTTPS vs. HTTP policy for www.example.org, you
> query for a TXT record as _httpspolicy.www.example.org. and parse
> it to find out whether you should rewrite URLs from http to https.
> Like the results from any other DNS query, this "_httpspolicy"
> resource record is cachable and securable with DNSSEC.
> 
> The centralized database could be kept as a legacy measure to keep
> rules for websites which have not yet published their policies
> themselves.

I agree with this.  I think your observation is exactly right, and
there will be a mechanism for sites to set an HTTPS policy in DNSSEC
and it will ultimately protect more people and more reliably than HTTPS
Everywhere.  However, right now we don't have such a standard and we
are also contending with the majority of sites that offer HTTPS but
don't try to make it a default, including popular sites like Google,
Facebook, Twitter, and Wikipedia.

I don't know what the best place to work on that standardization
right now is, but we can ask Jeff Hodges.  Right now there is a
standards effort at IETF called DANE to put TLS information into
DNSSEC, but their focus is on presenting cryptographic keys and not
"you should use TLS" policies.  (I should say that their focus now
is on "what to do when you use TLS", not "whether you should use
TLS".)  The most relevant standard to doing what you describe is
called HSTS but it's currently only carried in-band in HTTPS, not
over DNSSEC.  Everyone working on it has understood that it needs to
be carried out-of-band eventually.

As evidence that not very many sites would be prepared to take this
plunge today, see

http://www.chromium.org/sts

I believe I personally know the administrators of 1/3 of the sites
on the HSTS preload list. :-)

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107

More information about the HTTPS-everywhere mailing list