Paul Wise writes: > I don't have any data but I would hazard a guess that sites with DNSSEC > and TLSA setup are serious enough about security to not be that broken.
I agree that those are very good signs that the operator cares about security, but it's still possible to imagine that they only serve a subset of their site resources over HTTPS. http://www.internetsociety.org/deploy360/resources/dane-test-sites/ suggests that people who use TLSA may still make mistakes (or use CACert, which we wouldn't want to redirect to HTTPS automatically for -- we have treated CACert sites as default_off in the past and have a platform distinguishing tag for them, though I forgot if we finished implementing that). One problem is that not everyone has agreed that it's "broken" to have a resource at http://example.com/foo without also having a corresponding resource at https://example.com/foo with the same meaning. Some site operators maintain that if they didn't create the latter resource intentionally and then advertise it, there is no reason users should expect it to work, even if the site does have an HTTPS listener. We also have a small number of sites that have HTTPS resources that work where the site operator has asked us not to redirect the general public to them -- until this week Reddit was an example, while I believe that W3C is still an example. You could imagine either Reddit or W3C publishing TLSA records to try to prevent attacks without also changing their positions on default redirection. -- Seth Schoen <[email protected]> Senior Staff Technologist https://www.eff.org/ Electronic Frontier Foundation https://www.eff.org/join 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 _______________________________________________ HTTPS-Everywhere mailing list [email protected] https://lists.eff.org/mailman/listinfo/https-everywhere
