Issue metadata
Sign in to add a comment
|
Lookup _https._tcp SRV record and automatically use HTTPS for domain if record is found.
Reported by
skuldw...@gmail.com,
Oct 22 2017
|
||||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36 Steps to reproduce the problem: Feature request! What is the expected behavior? The user enters a domain example.com The browser fetches the SRV DNS record. If record "_https._tcp.example.com. 86400 IN SRV 0 0 443 example.com." is found then behave as if the user had entered https://example.com Here is a live example (for skuldwyrm.no): nslookup -querytype=srv _https._tcp.skuldwyrm.no Also note that nslookup -querytype=srv _https._tcp.www.skuldwyrm.no will return skuldwyrm.no instead of www.skuldwyrm.no indicating that skuldwyrm.no is the preferred domain. What went wrong? This is not supported today. Did this work before? N/A Chrome version: 62.0.3202.62 Channel: stable OS Version: 10.0 Flash Version:
,
Oct 22 2017
DANE uses TLSA records like _443._tcp.skuldwyrm.no and _443._tcp.www.skuldwyrm.no which could also be used to indicate that https is available and thus the browser should try HTTPS first.
,
Oct 22 2017
HSTS is the approach undertaken by browsers today, but this is a topic of active discussion.
,
Oct 23 2017
If a SRV DNS entry is found indicating https then the browser can act as if the domain was in the HSTS preload list. I guess this would need to be standardized into HTTP/2 though. Speaking as a web developer it's super easy and quick to add this, alternatively some kind of TXT DNS entry could be used I guess. Google does this already for it's webmaster tools to authenticate site owners. The adoption could be rather high.
,
Oct 23 2017
Here is a proof of concept (it's really quick'n'dirty'crude and I don't really know DOS batch so apologies for bad coding): Attached is concept.bat which is a normal windows batch script. Run the script as follows: concept.bat skuldwyrm.no concept.bat example.com skuldwyrm.no should be opened in the default system browser using https protocol while example.com should open using http protocol. Ideally the script should check the returned port and srv hostname and use those instead and a proper browser implementation I'll assume would too. This lookup only need to be done the first time the browser encounters the domain and should cache it.
,
Oct 23 2017
Looking up info on DNSSEC it seems that SRV is not authenticated, this is a shame. TXT records are however supported by DNSSEC in which case I'd like to suggest the use of: hsts=domain I have added a TXT record to my site as an example TXT hsts=skuldwyrm.no Note that concept.bat attached above uses SRV and not TXT, if a proof of concept for TXT is desired let me know and I'll see if I can do it in DOS Bash or Powershell.
,
Oct 23 2017
Testing using more tools shows that SRV is signed after all, the initial tool I used just did not support listing SRV. Any worries regarding DNS overhead is valid but there are efforts to alleviate this https://tools.ietf.org/html/draft-bellis-dnsext-multi-qtypes-04 using multiple QTYPE DNS in a single request.
,
Oct 26 2017
Marking this as WontFix. We've explored and decided against SRV records several times now, and have no plans to support. Issue 22423 was one such discussion.
,
Oct 26 2017
I'm gonna dupe against that so the (imperfect) connection is clearer. |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 Deleted