#whatwg on 2014-09-15

03:04	<Domenic>	https://www.whatwg.org/ has mixed content
03:05	<Domenic>	and all the links go to http://
03:05	<Domenic>	I guess the //-ification of the homepage hasn't happened yet
06:41	<mathiasbynens>	links are not the problem; it’s the embedded resources
06:42	<mathiasbynens>	<object> <img> etc.
06:43	<Domenic>	the links are problematic if we want to encourage SSL usage
06:43	<mathiasbynens>	ofc
06:44	<mathiasbynens>	ah, i’d missed the “and” in your message
06:47	<mathiasbynens>	also the redirects in `.htaccess` (e.g. `/C`) are still hardcoded to `http://`
06:49	<mathiasbynens>	a server-wide search/replace for http://*.whatwg.org/ → https://\1.whatwg.org/ would be nice
08:10	<MikeSmith>	annevk: will fix the platform.html5.org image thing later today. (last day of vacation here in Berlin with Nao and the weather's beautiful so we're headed off to ride some bikes around a lake9
08:18	<annevk>	MikeSmith: I just fixed it for you
08:18	<annevk>	I also updated all commit hooks on GitHub for my WHATWG domains to https:// and enabled HSTS
08:21	<annevk>	http://xkcd.com/1421/ :-)
08:24	<zcorpan>	is IndexSizeError in http://dev.w3.org/fxtf/geometry/#DOMMatrix et al right or wrong?
08:29	<annevk>	The reference it uses for it is almost certainly wrong
08:30	<annevk>	But yeah https://dom.spec.whatwg.org/#indexsizeerror not sure
08:33	<MikeSmith>	annevk: ah ok -- thanks
08:55	<annevk>	https://blog.whatwg.org/rolling-out-tls-and-hsts
08:56	<mathiasbynens>	\o/
09:06	<annevk>	Guess I need to update my email signature
09:34	<annevk>	Security incentives are all wrong. Why is https a character longer?
09:37	<annevk>	hsivonen: the Mozilla IETF crowd is scary. Cameras without TLS? How can that be something we aim for?
09:42	<annevk>	http://www.android.com/one/ "Always the latest software" such an odd marketing message coming from Google
09:47	<annevk>	By the way, if anyone in this channel wants to setup TLS, I'm willing to help out
10:05	<hsivonen>	annevk: is it expected that webm.html5.org has changed its ssh host key in the last year or so?
10:05	<hsivonen>	annevk: it says the current fingerprint is 68:36:d3:fa:a4:40:ae:1a:ae:38:b7:3a:83:34:8f:74
10:08	<hsivonen>	annevk: you need to ask Ivan Ristić why ssllabs doesn't make more noise about RC4
10:09	<hsivonen>	annevk: it does show IE11 on Windows 8.1 as failing to connect, though, if a site is RC4-only
10:09	<hsivonen>	annevk: which should look pretty bad
10:09	<hsivonen>	(though it only simulates IE's first handshake attempt, so after downgrading, IE connects)
10:12	<hsivonen>	Hixie: OK. I'll file a bug about the fragment parsing algorithm and non-HTML/SVG/MathML context
10:24	<annevk>	hsivonen: http://wiki.dreamhost.com/Security_Maintenance_%28SSH_Key_Change_and_Fixes%29
10:25	<annevk>	I just had a thought. What if the better your TLS story was, the less UI clutter a browser would show. And the worse it was, the more it would look like something is wrong.
10:27	<annevk>	Compare the address bar UI for https://www.dreamhost.com/ with http://www.dreamhost.com/
10:27	<annevk>	The TLS UI seems more cluttered for the user while it should be more obvious
10:31	<roc>	I just though "what if, the better your TLS story was, the less ads the browser would show"
10:31	<roc>	and then I realized Comcast is already implementing that.
10:32	<espadrine>	because of injected ads?
10:32	<roc>	yeah
10:32	<jgraham>	heh
10:32	<annevk>	roc: hehe
10:33	<jgraham>	Given the density of ads on the internet in general I'm not sure it's possible to tell the difference :(
10:33	<annevk>	But I don't get why we'd show "https://" for TLS. No normal user is going to get that and it actually looks more confusing than the alternative
10:33	<annevk>	Safari on the iPhone doesn't do it...
10:35	<jgraham>	At this point it probably isn't viable to make the internet look broken for http
10:36	<annevk>	We could remove "https://" as a start
10:37	<annevk>	We could change the globe with an icon that indicates surveillance
10:38	<jgraham>	"look for https" might be one of the few things that people know
10:38	<jgraham>	Of course they would probably be confused by https.evilsite.com
10:40	<annevk>	https://bugzilla.mozilla.org/show_bug.cgi?id=1067293
10:41	<jgraham>	But yeah, I guess "[insecure] site.tld" might work
10:48	<annevk>	hsivonen: it seems Ivan is on Twitter, he just retweeted Mike West who was challenging the W3C to follow the WHATWG in using TLS
10:48	<annevk>	hsivonen: guess I might ask him about it later and maybe once more complain to DreamHost about RC4 and IE11
11:15	<jgraham>	annevk: So how far are we from having html.spec.whatwg.org work?
11:15	<jgraham>	By which I mean "not be a redirect"
11:15	<annevk>	jgraham: I think Hixie would like it to remain a redirect
11:16	<annevk>	Hixie: are you planning on updating the certificate for www.whatwg.org as well?
11:16	<jgraham>	I would like to voice my disapproval at this
11:16	<annevk>	Hixie: also, will you make HSTS work or can you add my public key so I can do it?
11:17	<annevk>	jgraham: perhaps file a bug on the spec?
11:17	<jgraham>	A naming scheme with [spec].whatwg.org I can get behind
11:17	<jgraham>	Uh
11:17	<jgraham>	[name].spec.whatwg.org
11:17	<jgraham>	One that requires me to remember anything else, not so much
11:17	<jgraham>	(particularly the difference between c and C)
11:23	<hsivonen>	annevk: hmm. weird. webm.html5.org doesn't seem to know my ssh public key. I'm pretty sure I authorized my RSA key there when I migrated away from DSA.
11:23	<annevk>	hsivonen: do you want me to generate a fresh password?
11:23	<hsivonen>	annevk: yes, that would work, too
11:24	<annevk>	see pm
11:26	<hsivonen>	annevk: note that banks, etc., pay premium for UI clutter: EV
11:27	<hsivonen>	annevk: so giving https sites less UI clutter might not be the winning strategy
11:27	<annevk>	hsivonen: I was thinking that once it gains acceptance that we don't show the path by default
11:27	<hsivonen>	annevk: you may be interested in https://bugzilla.mozilla.org/show_bug.cgi?id=942136
11:27	<annevk>	hsivonen: EV might not show the domain by default
11:28	<hsivonen>	annevk: it would be pretty bad. you couldn't tell the difference between bugzilla.mozilla.org and www.mozilla.org then
11:29	<annevk>	oh ew
11:29	<annevk>	I'm not even sure why we decided to pay for EV, but yes, overall that would be an issue
11:30	<hsivonen>	annevk: of the browser vendors, Mozilla made a big deal of pushing EV back when it launched
11:31	<annevk>	:(
11:32	<jgraham>	Not showing the path by default is what Opera 12 did. Not sure it worked that wekk
11:32	<jgraham>	*well
11:40	hsivonen	notices that StartSSL has decided to capitalize "Van"
11:43	<hsivonen>	annevk: HSTS enabled for webm.html5.org
12:08	<hsivonen>	jgraham: do I need to take some action on https://critic.hoppipolla.co.uk/r/2564 ?
12:31	<jgraham>	hsivonen: No, you just need someone to review it. I guess I should be that someone. I'll have a look once I fix up Ms2ger's issues with the testtwf documentation
12:34	<hsivonen>	jgraham: OK. Thanks. I requested your review of the same .dat file over at bugzilla.mozilla.org, too.
13:52	<annevk>	hsivonen: ta
13:57	<annevk>	hsivonen: your bug report seems interesting, though I think making TLS UI as attractive as non-TLS should be higher priority
13:57	<annevk>	hsivonen: also, the amount of issues you mention with EV :-(
13:58	<annevk>	hsivonen: we should definitely do some kind of cert persistence and perhaps scope cookies / storage etc.
14:56	<jgraham>	hsivonen: Critic review is done
14:56	<mathiasbynens>	woo, annevk.nl is now on TLS too
14:57	<jgraham>	One issue that I think you should fix, when that's done push a new commit (just the changes, don't try to squash history or anything) and it will appear on critic and I can review it
14:57	<jgraham>	Then assuming that's OK I'll merg
14:57	<jgraham>	e
14:57	<annevk>	The main problem with annevk.nl is that I've configured it as a redirect. I think I'd actually need to fully host the domain to give it a proper setup. Same for www.annevankesteren.nl which automatically redirects, but does not automatically redirect to TLS version afaict.
14:58	<annevk>	DreamHost needs HSTS support as an option. That would make all of that work automatically I think.
14:58	<annevk>	Well, if they implemented it correctly.
16:12	<annevk>	hsivonen: https://twitter.com/ivanristic/status/511545125621993472
16:22	<JakeA>	annevk: Can we add Reponse as an alias to Response? I always type it wrong
16:27	<Hixie>	jgraham: what would html.spec.whatwg.org host? the multipage spec or the single-page spec? and where would the other go?
16:28	<Hixie>	jgraham: also, there's a lot of links to the old location
16:28	<gsnedders>	hsivonen: are you ever actually obliged to revoke a cert? could you just take the attitude that it started out as HTTP so it's no more insecure than how it started out (obviously false sense of security, but…)
16:30	<jgraham>	Hixie: Single page. Multipage would be under some path or a seperate subdomain. The old location could redirect
16:31	<Hixie>	what's the impact of the old location redirecting on things like position in search results?
16:31	<Hixie>	i guess the domain name having "html" in it might make it a net positive...
16:31	<jgraham>	Dunno, ask someone that works for Google
16:31	<Hixie>	well not just in google
16:32	<Hixie>	i'm pretty sure the impact with google is google shunts the page rank along the redirect
16:33	<jgraham>	I think the net win of going form "url no one can remember" to "url anyone can remember" is big enough that I would be prepared to take a temporary hit in search engine ranking
16:35	<Hixie>	fair enough
16:40	<Hixie>	what's the magic i need for HSTS again?
16:42	<Hixie>	oh you only send it over HTTPS?
16:42	<Hixie>	that makes it easier
16:42	Hixie	sticks this in his global htaccess file: Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
17:01	<annevk>	JakeA: haha
17:02	<annevk>	Hixie: you also need a redirect from non-TLS
17:02	<annevk>	Hixie: https://gist.github.com/annevk/3ec0c4cc129059eb567d
17:02	<Hixie>	the redirects are going in already
17:02	<annevk>	Hixie: not sure how you can make that work globally
17:02	<annevk>	okay
17:04	<jsbell>	annevk: Any idea if/when FF will implement set/get/getAll/has/delete on FormData?
17:04	<annevk>	jsbell: I don't, I'm not even aware of a bug
17:05	<jsbell>	annevk: thx. I couldn't find a moz bug either.
17:07	<Hixie>	ok the www.whatwg.org home page is no longer mixed content
17:07	<Hixie>	let me know if there's other affected pages
17:07	<annevk>	Hixie++
17:08	<annevk>	Hixie: home page is not yet redirecting to https:// btw
17:08	<Hixie>	yeah i wanted to fix the mixed content issues first :-)
17:08	<Hixie>	are the forums ready to redirect? zcorpan is having trouble logging in but we're not ever up at the same time so i haven't been able to help troubleshoot
17:09	<Hixie>	anyone seen variable recently? (aka eitana)
17:10	<Hixie>	looks like he hasn't logged in since 2010
17:10	<annevk>	I don't know my Forums account anymore
17:10	<Hixie>	i'm calling that abandoned and deleting history.whatwg.org
17:12	<Hixie>	what's the story on html-differences.whatwg.org ?
17:13	<annevk>	maintained by zcorpan
17:13	<Hixie>	looks like it's having styling issues
17:13	<annevk>	I can fix the issues I guess
17:13	<Hixie>	oh it's mixed content issues i guess
17:13	<annevk>	yes
17:13	<Hixie>	anyway, i should be keeping this domain then right
17:14	<Hixie>	btw once i'm done here you should be able to remove your redirect thing
17:14	<Hixie>	the http sites are just going to not exist any more
17:14	<Hixie>	well, they'll exist in that they'll be hardcoded to redirect at the panel level
17:14	<Hixie>	but your .htaccess files won't be doing anything with them
17:14	<Hixie>	so they'll just be slowing down the https loads
17:16	<Hixie>	MikeSmith: what's the story on help.whatwg.org?
17:17	<Hixie>	ooh
17:17	<Hixie>	http://n.whatwg.org/
17:17	<Hixie>	i guess i will _not_ in fact support https://n.whatwg.org/
17:17	<Hixie>	since that would just cause confusions
17:20	<annevk>	ooh, you have some kind of super powers even over the domains I host?
17:20	<annevk>	that sounds great
17:21	<annevk>	I guess it doesn't apply to dom.spec.whatwg.org yet, hopefully DreamHost can move that back as I requested
17:21	<Hixie>	well, i have the power to make you not host them :-)
17:21	<boogyman>	annevk: the primary owner of the acct has full access to all namespaces
17:22	<annevk>	boogyman: except for dom.spec.whatwg.org at the moment
17:22	<annevk>	I think, as that's a really weird hack
17:22	<boogyman>	whoever owns "whatwg.org" does
17:23	<Hixie>	boogyman: he means control over how it's hosted at dreamhost
17:23	<Hixie>	obviously i could move the entire domain elsewhere
17:23	<Hixie>	that would be a hell of a mess
17:23	<Hixie>	:-)
17:24	<boogyman>	Unless this is something new in their system, I am pretty sure you can change the location of the host between their hosted solutions.
17:26	<annevk>	I fixed html-differences
17:27	<annevk>	I guess I'll remove the HSTS stuff I did
17:27	<Hixie>	leave the header
17:27	<Hixie>	i can't affect your domains' headers with my .htaccess files
17:29	<annevk>	okay
17:30	<Hixie>	in setting up these redirects i'm sure i'm gonna get one wrong
17:30	<Hixie>	and we'll have http://figures.spec.whatwg.org redirect to https://fetch.spec.whatwg.org or some nonsense
17:30	<annevk>	are they all in one file?
17:31	<Hixie>	it's the web panel interface
17:31	<annevk>	your panel has separate controls for :80 and :443?
17:31	<Hixie>	yeah
17:32	<annevk>	neat
17:32	<annevk>	ooh I see, I do too
17:33	<annevk>	I did not realize that when you add secure hosting, it's basically the same thing as web hosting
17:33	<annevk>	I thought it was just a way to add certificates
17:35	<Hixie>	something wacky is going on with my html.spec.whatwg.org setup
17:35	<Hixie>	oh, local caching problem
17:35	<Hixie>	ok
17:36	<annevk>	oh man, that separate hosting thingy is exciting, I'm going to use that too
17:37	<annevk>	and update my blog post draft to not put blame on DreamHost for this
17:37	<Hixie>	heh
17:38	<Hixie>	what were you blaming dreamhost for? not being able to control them separately?
17:39	<Hixie>	oh yikes
17:39	<Hixie>	don't forget the trailing /
17:39	Hixie	breaks whatwg.org
17:49	<annevk>	That www.* would redirect to * first before redirecting to TLS. I also blamed them for not having HSTS support as a configuration, which still seems fair
17:55	<Hixie>	well it's trivial to add headers to all your sites
17:55	<Hixie>	i mean, you put one line in one file and you're done for all your sites
17:57	<Hixie>	ok so now i need secure icons for the browsers
17:57	<Hixie>	i'm tempted to just drop the stuff that says which browser implements what
17:57	<Hixie>	is there some better solution we can roll out?
17:57	<Hixie>	based on caniuse or something?
17:57	<annevk>	Hixie: html5.org has secure icons
17:58	<annevk>	Hixie: see https://html5.org/tools/web-apps-tracker
17:58	<annevk>	Although I think the preferred term is authenticated, since we don't know whether html5.org is actually secure
18:01	<Hixie>	i guess
18:01	<annevk>	Hixie: still failing basic checks on https://hstspreload.appspot.com/
18:01	<annevk>	Hixie: seems hard
18:02	<annevk>	in particular they require the redirect to carry the HSTS header
18:03	<Hixie>	hstspreload.appspot.com is dumb. i tell it to check whatwg.org and it says i can't because it's a redirect. i tell it to check www.whatwg.org and it says i can't because it's a subdomain.
18:03	<Hixie>	oh well wait
18:03	<Hixie>	we don't want to be in that list
18:03	<Hixie>	not everything in whatwg.org is going to be HTTPS
18:03	<Hixie>	for example, n.whatwg.org
18:07	<TabAtkins>	Domenic_: I'm not sure I understand why you want ecmarkdown to mark all OL bullets with the same number. I cant' find any reasoning behind it in the issues list for ecmarkup.
18:07	<annevk>	Hixie: the problem with not everything being HTTPS is that then users can be spoofed
18:07	<Hixie>	annevk: how?
18:07	<annevk>	Hixie: it seems better to simply explain this on n.whatwg.org as a naming problem
18:08	<annevk>	Hixie: e.g. an attacker could make them visit secure.whatwg.org and present some login form
18:08	<Hixie>	login form to what?
18:08	<annevk>	Hixie: blog or wiki or forums
18:08	<annevk>	Hixie: the includeSubdomain directive is there to prevent this problem
18:09	<Hixie>	the blog and wiki and forums are open to everyone anyway
18:09	<Hixie>	they need but ask
18:09	<Hixie>	why would anyone go to the effort of somehow getting DNS to return a fake entry just to get someone's forum password?
18:10	<jgraham>	Well it's quite high probability that that user uses the pw elsewhere
18:11	<Hixie>	(that's why for the spec's own stuff i generate passwords instead of letting you set it)
18:11	<svl>	if the user is an admin, quite some damage can be done with that password
18:12	<Hixie>	if a whatwg blog admin can be phished in that way, we have bigger problems
18:12	<Hixie>	like, they're probably not qualified to be doing their job
18:13	<Hixie>	we also have company.demos.whatwg.org which isn't covered by a cert
18:22	<Hixie>	annevk: isn't there some way we can secure the DNS so that they can't do that, btw? It seems like if they can add DNS entries, they can probably get certs for them anyway.
18:35	<annevk>	Hixie: from what I read DNSSEC doesn't really cover anything on top of TLS
18:35	<annevk>	Hixie: and as long as they don't control whatwg.org they cannot issue certificates for it if the CAs are doing their job
18:36	<Hixie>	you want to bet that there's no CA that'll issue a cert for a subdomain?
18:36	<Hixie>	how do you do certs fro dyndns.org style setups then?
18:43	<Hixie>	ok i'm going for lunch. Other than HSTS headers not being included in the https://whatwg.org to https://www.whatwg.org redirect, the existence of *.demos.whatwg.org, and the status of n.whatwg.org, i'm not aware of any open issues with respect to our TLS conversion.
18:44	<mathiasbynens>	\o/
18:49	<annevk>	sounds great
18:57	<annevk>	mathiasbynens: are you using PHP? Have you had problems with the Header set directive not affecting PHP scripts?
19:13	<mathiasbynens>	annevk: yes and no
19:16	<mathiasbynens>	btw, time to change your freenode passwords everyone: https://blog.freenode.net/2014/09/server-issues-2/
19:16	<mathiasbynens>	annevk: details?
19:21	<TabAtkins>	mathiasbynens: Thanks for the heads-up.
19:30	<mathiasbynens>	just updated https://javascript.spec.whatwg.org/ and auto-replaced all .whatwg.org/.html5.org/annevankesteren.nl links in my blog database — feels good
19:32	<caitp>	huh, what does sequence<T> mean when it's the return type of an idl-exposed method? is that somehow different from Array<T>?
19:32	<TabAtkins>	caitp: It means you're returning an array.
19:32	<TabAtkins>	Array<T> doesn't exist in WebIDL, does it?
19:32	<caitp>	I thought we already had an Array type in IDL
19:33	<caitp>	not Array<T> but T[]
19:33	<TabAtkins>	Those are different and terrible.
19:34	<TabAtkins>	I never remember exactly how/why.
19:34	<TabAtkins>	I've just learned over time that you should always use sequence<>.
19:34	<caitp>	nobody ever said webidl wasn't confusing :>
19:36	<TabAtkins>	Based on vague memories and reading the spec just now, T[] doesn't actually define a JS Array, just a look-alike.
19:38	<caitp>	I sort of thought it worked like rest parameters
19:39	<caitp>	sequence<> I mean
19:39	<TabAtkins>	?
19:39	<caitp>	"this is a list representing a sequence of arguments", but I guess that doesn't make sense for a return value
19:39	<TabAtkins>	foo(sequence<T>) just means it'll take an array-like. It doesn't do any rest magic.
19:40	<TabAtkins>	IDL types in argument lists are just instructions for which conversion operation to do.
19:40	<TabAtkins>	They're actually "types" when used as return values.
20:02	<annevk>	mathiasbynens: I run PHP under DreamHost's FastCGI
20:02	<annevk>	mathiasbynens: it does not seem to pick up on .htaccess' set headers
20:02	<annevk>	mathiasbynens: evidence is annevankesteren.nl
20:03	<mathiasbynens>	annevk: HSTS, you mean?
20:03	<annevk>	mathiasbynens: yes
20:03	<mathiasbynens>	what does the .htaccess look like
20:04	<mathiasbynens>	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
20:04	<mathiasbynens>	…is what i’m using
20:04	<annevk>	Yeah it looks like that, it's picked up by e.g. html5.org just fine
20:05	<mathiasbynens>	ah, indeed, and https://annevankesteren.nl/test/ has the correct header too
20:05	<mathiasbynens>	no clue tbh :/
20:06	<mathiasbynens>	annevk: http://serverfault.com/a/383063/13896
20:08	<annevk>	Header always set then?
20:09	<mathiasbynens>	i’d give that a try
20:10	<annevk>	nope
20:10	<mathiasbynens>	:(
20:17	<annevk>	mathiasbynens: https://html5.org/tools/web-apps-tracker which is a Python script includes the header regardless of the always setting
20:18	<annevk>	Reading those docs I wonder if Header unset X-Pad works
20:30	<zcorpan>	annevk: yeah i think php doesn't do anything with headers set in htaccess
20:31	<annevk>	But all over the web it's suggested it should
20:31	<zcorpan>	oh. then i dunno
20:31	<mathiasbynens>	zcorpan: it does for me, but then again i’m not using php-cgi
20:32	<zcorpan>	might need to flip something in php.ini or whatever. php has lots of twiddles
20:33	<mathiasbynens>	P̆ͭ҉̭̗H̓͆҉̸͞Pͧ̄҉͖̱
20:33	<annevk>	There's https://bugs.launchpad.net/ubuntu/+source/libapache-mod-fastcgi/+bug/1368308
20:34	<mathiasbynens>	“This bug affects 1 person”
20:35	<annevk>	https://gist.github.com/mfdj/11122524 is someone with the same problem
20:36	<mathiasbynens>	give up and use `header()` i guess
20:39	<annevk>	Almost did configuration with a single file for a dozen domains, now I have to hack dozens of PHP files
20:44	<annevk>	If it would not be such a hassle to switch from DreamHost...
20:56	<jgraham>	There's an element of sunk cost fallacy about that argument :)
20:57	<zcorpan>	annevk: fwiw opera hides https://
20:58	<annevk>	jgraham: it's opportunity cost I think
20:58	<annevk>	jgraham: since switching is non-zero-cost
20:59	<annevk>	Seems I already somewhat started on a common header include file, yay me
21:00	annevk	submitted a whole bunch of sites to https://hstspreload.appspot.com/
21:01	<jgraham>	annevk: Right, but if the cost of switching in the long term is smaller than the cost of maintaining the DH setup it's a poor choice
21:01	<jgraham>	I have no idea if it is or not
21:02	<annevk>	I might try rent a VPS with TransIP at some point and play around to see if it meets my needs
21:03	<annevk>	Having full control over the server and DNS is somewhat enticing
21:04	<jgraham>	Seems kind of expensive after the first 3 months
21:07	<zcorpan>	jgraham: opera 12 showed the path, it just hid the query and hash (and scheme)
21:08	<annevk>	jgraham: I'm open to recommendations I guess
21:09	<annevk>	jgraham: ideally I'd have something managed, but also full control...
21:09	<jgraham>	zcorpan: Yeah, you're right. I just remember it did something very annoying. And I spent a long time arguing with Sigbjørn that it would be very annoying and eventually I did indeed find it very annoying :)
21:10	<zcorpan>	i also find it annoying (hiding the scheme is ok so long as copy/paste includes it)
21:11	<jgraham>	Yeah, the scheme is fine, I don't really use it to locate myself. But the query is the most important thing on many sites
21:19	<zcorpan>	Hixie: does n.whatwg.org need to exist?
21:19	<jgraham>	annevk: Well I have used Linode who seem to be OK
21:21	<zcorpan>	annevk: is it a problem if n.whatwg.org doesn't use TLS?
21:31	<jgraham>	I think that "does it need to exist" is a better question
21:35	<zcorpan>	seems like it's a problem if the HSTS header for whatwg.org says includeSubDomains? but yeah
21:36	<Hixie>	zcorpan: well, it's a minted namespace.
21:36	<Hixie>	zcorpan: so some people think it should
21:37	<Hixie>	the HSTS header for whatwg.org doesn't currently includeSubdomains because of n.whatwg.org and company.demos.whatwg.org
21:38	<annevk>	See also http://tools.ietf.org/html/rfc6797#section-14.4 for why includeSubdomains exists
21:40	<jgraham>	What is company.demos.whatwg.org?
21:40	<Hixie>	annevk: seems like a serious problem to me if people can add new subdomains
21:40	<Hixie>	annevk: i'm also confused as to how dyndns.org and local intranet sites (e.g. printers) are supposed to get certs
21:44	<annevk>	Hixie: you need to get public names for your local intranet starting November 2015
21:44	<annevk>	Hixie: I hope we can find something better than this CA system though
21:44	<annevk>	Hixie: there's http://tack.io/ but it seems dormant
21:45	<Hixie>	how do you mean, "you need to get public names for your local intranet starting November 2015"
21:45	<Hixie>	and are you saying that you can't host web sites using TLS on *.dyndns.org ?
21:52	<Hixie>	jgraham: some demo site linked to from http://whatwg.org/demos/
21:52	<Hixie>	jgraham: do you like the new html spec url btw?
21:52	<willchan>	if you can prove ownership of the {x}.dyndns.org hostname to a SSL CA doing domain validation, then you can serve https for it
21:52	<annevk>	Hixie: see e.g. https://www.digicert.com/internal-names.htm for the November 2015 change in CA policies
21:53	<annevk>	I wish I had a better reference, maybe something on https://cabforum.org/
21:53	<annevk>	I said the other day something about TC39 being bad, CA\|B is worse
21:54	<annevk>	Or CA/B
21:54	<willchan>	annevk: there's hpkp (https://tools.ietf.org/html/draft-ietf-websec-key-pinning) which is supported today (whereas tack is still a WIP). it's fairly high maintenance though.
21:55	<annevk>	https://cabforum.org/internal-names/ looks like a more formal announcement of the November 2015 thing
21:57	<zcorpan>	Hixie: annevk: ok added a header for forums.whatwg.org
21:58	<Hixie>	willchan: if you can do that, what's stopping you from doing that to {x}.whatwg.org, thus enabling fishing within the whatwg.org domain even with subdomain-hsts?
21:58	<zcorpan>	should the initial http->https redirect include the HSTS header?
21:58	<annevk>	zcorpan: no, HSTS header is only for TLS resources
21:59	<Hixie>	annevk: wait, what? not only do you have to use a publicly registered domain name, but you even have to use a public IP range?!
21:59	<Hixie>	zcorpan: HSTS is ignored on non-authenticated connections
21:59	<zcorpan>	k
22:00	<annevk>	Hixie: I guess so, not sure how that's going to work for private networks then
22:00	<annevk>	Hixie: I guess I better remove the batteries from my scale
22:01	<annevk>	Hixie: I'm fairly new to this, but I'll try to find answers I guess
22:03	<Hixie>	anyway, the rfc says that includeSubdomains is to protect against cookie theft, not phishing
22:03	<Hixie>	i don't really understand how it does that either
22:03	<Hixie>	but that's a separate issue
22:03	<Hixie>	we don't have any domain cookies
22:03	<annevk>	mathiasbynens suggested the phishing angle
22:04	<annevk>	Hixie: I'd imagine blog/wiki/forums all issue cookies
22:04	<Hixie>	sure but not domain cookies
22:04	<annevk>	if you omit domain, what is it scoped to?
22:05	<Hixie>	current host
22:05	<annevk>	anyway, I was mostly interested in getting us in the TLS-only list
22:05	<willchan>	hixie: do you allow any rando to create a subdomain on whatwg.org? if so, then yeah, if they can prove ownership of that hostname, then they may be able to convince a SSL CA to issue them a cert.
22:06	<Hixie>	willchan: we do not
22:06	<Hixie>	willchan: but anne was saying that without includeSubdomains, maybe people will be able to fake a subdomain anyway somehow
22:07	<Hixie>	not sure how
22:07	<willchan>	hixie: i think that's wrong
22:07	<zcorpan>	hmm, have a proposal for a bank: custom scheme on the forums. https://forums.whatwg.org/bb3/viewtopic.php?f=4&t=5216 (basically for QR on bills instead of typing in the details)
22:08	<willchan>	hixie: hsts includeSubdomains is to force HTTPS on the subdomains too, so you don't have to visit the specific subdomain first in order to prevent ssl stripping attacks.
22:11	<annevk>	is there some way to pin a cert?
22:11	<Hixie>	pin it to what?
22:11	<Hixie>	i mean you could print it and pin it to a corkboard pretty easily
22:11	<annevk>	one thing I'm surprised about is that www.whatwg.org and dom.spec.whatwg.org use different certificates, but both certificates claim to cover www.whatwg.org
22:11	<Hixie>	also you could take a picture of it and pinterest it
22:11	<annevk>	why are there no warnings?
22:11	<Hixie>	why would there be warnings?
22:12	<Hixie>	what would the warning be for?
22:12	<willchan>	annevk: yes you can pin a cert, use hpkp
22:12	<willchan>	but yes, in absence of pinning, you can have multiple certs cover a name
22:12	<annevk>	I'd think it's more indicative of an attack, but perhaps it's totally fine...
22:12	<willchan>	which is why rogue/compromised CAs are a big deal, since they can issue certs for basically any name
22:13	<Hixie>	i think the solution for my home network is for me to be my own CA
22:13	<annevk>	Hixie: serious? :-(
22:13	<Hixie>	annevk: so dreamhost seem to be using OpenSSL 0.9.8o
22:14	<Hixie>	annevk: want to try to convince them to update to OpenSSL 1.0.1c+?
22:14	<Hixie>	then we can get forward secrecy
22:14	<annevk>	Hixie: I have emailed them, they say they'll likely issue updates once they have migrated towards Ubuntu
22:15	<willchan>	annevk: have you seen https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.whatwg.org%2F?
22:15	<annevk>	willchan: yeah I know
22:15	<annevk>	willchan: DreamHost :-(
22:15	<annevk>	willchan: https://twitter.com/annevk/status/509312141682540544
22:16	<Hixie>	annevk: great
22:16	<Hixie>	willchan: yeah, looking at it now, hence my comment just above :-)
22:16	<annevk>	nn
22:16	<Hixie>	nn
22:21	<Hixie>	oh we're on apache 2.2, so we'd need to update that too
22:23	<willchan>	annevk: the www.whatwg.org cert chain is a little weird too
22:24	<willchan>	don't need to include the self-signed root cert in the chain, since they're baked into browsers already
22:28	<willchan>	hixie: for your home network, browsers should remember your clicked through warning for a period of time and temporally "pin" that cert (https://code.google.com/p/chromium/issues/detail?id=262615). i believe firefox does this today.
22:31	<Hixie>	willchan: looks like i'm not allowed to see that bug
22:31	<Hixie>	but why temporarily?
22:32	<Hixie>	shouldn't it be for the lifetime of the cert? which should itself probably be forever, since the device ain't getting updated, realistically?
22:33	<willchan>	hm, silly bug is locked down. probably could be opened.
22:33	<willchan>	here's a public CL that describes lots of it: https://codereview.chromium.org/369703002
22:37	<Hixie>	you gotta love https://github.com/w3c/html/commit/15eb97cfc8b7fc97c2dcceaf92c748a2c1ae2e78
22:37	<Hixie>	i wonder if now that the types are registered, and now that the reference is obsolete, the whatwg should contact the ietf to have them updated... ---
22:37	<Hixie>	-_- even, not ---
22:38	<willchan>	hixie: i believe people have differing opinions on the lifetime, and i'm not well-informed on that aspect, so i won't chime in on it. it's possible that if we can identify the local network (perhaps via IP, a la https://w3c.github.io/webappsec/specs/mixedcontent/#private-url), it'd be reasonable to extend the lifetime. i dunno though.
22:38	<Hixie>	willchan: ah, yeah, not knowing if it's local would be an interesting issue
22:53	<zcorpan>	btw, JAB Creations is awesome for cleaning up spam on the forums. too bad there is almost zero non-spam
23:04	<Hixie>	so...
23:04	<Hixie>	if you fullscreen an element
23:04	<Hixie>	then remove its parent
23:04	<Hixie>	what happens?
23:04	<Hixie>	and why?
23:05	GPHemsley	says the fullscreen goes away
23:05	<zcorpan>	ALIENS
23:06	zcorpan	needs sleep
23:08	<Hixie>	GPHemsley: do any specs actually say that?
23:08	GPHemsley	is not a spec
23:08	<TabAtkins>	I mean, that's obviously what needs to happen. Dunno if it's written anywhere.
23:15	<GPHemsley>	Hixie: More detailed opinion: Destroying the parent fires a no-more-fullscreen event to all children
23:15	<GPHemsley>	or somesuch
23:16	<GPHemsley>	wait... don't we have the Fullscreen spec?
23:18	<Hixie>	https://fullscreen.spec.whatwg.org/ doesn't seem to answer this question
23:18	<TabAtkins>	Bug Anne, then.
23:18	<Hixie>	unless "removign steps" are run for descendants of removed nodes?
23:19	<Hixie>	no, doesn't seem like it...
23:29	<Hixie>	JakeA: ping https://github.com/slightlyoff/ServiceWorker/issues/410 ?
23:29	<Hixie>	(just added my comment)
23:29	<Hixie>	(but if you're around we can chat here)
23:37	<GPHemsley>	Hixie: I would imagine it has something to do with this: https://fullscreen.spec.whatwg.org/#fully-exit-fullscreen