More than a decade after implementing support for secure HTTPS connections on its website, the World Wide Web Consortium (W3C) is finally planning to redirect insecure HTTP connections to the more protected specifications.
The organization, which receives hundreds of millions of requests a day to its website, had postponed that transition for fear of breaking legacy web applications, many of which rely on resources accessed via HTTP. But it now says that at some point it’s almost good to go.
“The main reason for this is that we wanted to avoid creating problems for software that requests machine-readable resources from www.w3.org, such as HTML DTDs, XML schemas, and namespace documents,” W3C sysadmin Gerald Oskoboiny said in a post. on July. 25.
“We believe enough time has passed for most such software to be updated to handle redirects and https, so we plan to redirect all requests received via http to https within a month or two.”
That target date, set a month ago, became undetermined Monday when Oskoboiny published a follow-up blog to the W3C outlining the lessons learned from the early tests of the HTTP-to-HTTPS testing.
About two hours before, The register had inquired about the transition plan due to concerns from a reader. We were told that the W3C blog update was planned and unrelated to our investigation.
“There is no set date; the rollout will be informed by our testing and the feedback we receive,” Oskoboiny said in an email to The register on Monday.
Isn’t Java refreshing their cup of tea?
The reader who works for a major communications provider wrote to: The register over the weekend to question the proposed timeline. This person, who declined to be named because he doesn’t have permission from his employer to speak to the press, said he needs to support a large Java-based web app that’s about two decades old.
Updating large Java apps to HTTPS, he said, likely seems costly because the code needs to be changed and tested. And he believes most system administrators won’t be ready for the impact the HTTPS switch has on production systems that rely on externally hosted W3C resources. The XML schemas involved, he suggested, are commonly used in government applications for interdepartmental communication.
The first tests were turbulent. Two initial tests of the HTTP-to-HTTPS redirect, for eight hours from August 1, and for just over 27 hours from August 18, resulted in multiple reports of application errors. In fact, the second test was scheduled for 72 hours, but was cut short “due to several complaints that this change was affecting production services,” Oskoboiny explains.
Those affected by the HTTP-to-HTTPS redirection trial said the switch broke code intended to validate XML schemas, an optional but highly recommended step to ensure XML data is formed correctly. Builds for Microsoft’s Static Driver Verifier tool, which verifies the source code of Windows kernel-mode drivers, also failed, one commenter said.
“During our initial testing, we heard from a few people that this was causing problems with their systems that make automated requests to our site, such as validating XML schemas,” Oskoboiny said in Monday’s post. “We hope these systems can be reworked to either follow the redirects to https, or use an XML catalog to keep local copies of all the files needed to avoid unnecessary requests to our site.”
Some of the applications mentioned by commenters use Java components such as the javax.xml.validation package in JDK 11 or javax.xml.validation.SchemaFactory in JDK 8.
These components, in turn, rely on software such as Apache Xerces, an open source set of XML processing tools widely used in Java, or libxml2, an open source XML parsing software library.
In the case of libxml2, an issue was opened two years ago to request HTTPS support. A year ago, project manager Nick Wellnhofer turned down a request to add https, saying the library isn’t doing this because “it’s a bad idea to load resources over the network for performance and availability reasons.”
Oskoboiny echoed that sentiment. “It’s good to be aware of any dependencies you have on third-party sites,” he told The register.
“It is surprising that modern software that makes HTTP requests is not able to handle redirects or https. Make sure your software is up to date and report problems to the developers if necessary.”
Three days ago, developer Karl Brown joined the discussion asking Wellnhofer to reconsider in light of the W3C’s deprecation of HTTP support. “This is going to break a lot of tools that rely on libxml2 (like lxml),” says Brown’s post. “While I agree that schema validation over the Internet is not efficient, it is probably widely used and the solutions are clunky.”
For that to happen, Wellnhofer replied, someone would need to come forward to implement the feature and support it over the next few years. Welcome to open source development.
The next test will take 48 hours, from 1700 UTC on September 1 to 1700 UTC on September 3. The seat belt buckle sign is now illuminated. ®