[HTTPS-Everywhere] Always redirect to https when TLSA records exist?
Seth David Schoen
schoen at eff.org
Fri Sep 12 18:44:50 PDT 2014
Paul Wise writes:
> I don't have any data but I would hazard a guess that sites with DNSSEC
> and TLSA setup are serious enough about security to not be that broken.
I agree that those are very good signs that the operator cares about
security, but it's still possible to imagine that they only serve a
subset of their site resources over HTTPS.
http://www.internetsociety.org/deploy360/resources/dane-test-sites/
suggests that people who use TLSA may still make mistakes (or use CACert,
which we wouldn't want to redirect to HTTPS automatically for -- we
have treated CACert sites as default_off in the past and have a platform
distinguishing tag for them, though I forgot if we finished implementing
that).
One problem is that not everyone has agreed that it's "broken" to have a
resource at http://example.com/foo without also having a corresponding
resource at https://example.com/foo with the same meaning. Some site
operators maintain that if they didn't create the latter resource
intentionally and then advertise it, there is no reason users should
expect it to work, even if the site does have an HTTPS listener. We also
have a small number of sites that have HTTPS resources that work where
the site operator has asked us not to redirect the general public to
them -- until this week Reddit was an example, while I believe that W3C
is still an example. You could imagine either Reddit or W3C publishing
TLSA records to try to prevent attacks without also changing their
positions on default redirection.
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the HTTPS-Everywhere
mailing list