News

Users of legacy applications and systems delay migration from W3C to HTTPS

More than a decade after the implementation of support for secure HTTPS connections on its website, the World Wide Web Consortium (W3C) this planning to finally redirect all your insecure HTTP connections to HTTPS. The entity, which receives hundreds of millions of requests per day to its website, had not done so until now for fear of causing performance problems in legacy web applications, since many depend on resources that are accessed through the HTTP protocol. But now she assures that she is ready to do it.

Gerald Oskoboiny, W3C System Administratorexplained it in a post on July 25: «the main reason for not doing this is that we wanted to avoid problems for software that makes requests for machine-readable resources from www.w3.org, such as HTML DTDs, XML Schemas, and namespace documents. We think it’s been quite a while since most software of this type has been updated to handle redirects and https, so we’re planning to start redirecting all requests received over http to https in a month or two.«.

About a month ago they fixed the target date for redirectbut this week they have removed it and they have left it as indeterminate again. This has happened after a follow-up post to the previous one in which the W3C shows what it has seen in the first tests of the transition from HTTP to HTTPS. Also, according to The Register, the new date will depend on the results of the W3C tests and the feedback they receive.

According to Oskobony, the preliminary tests have been quite problematic. The consortium conducted two initial tests of HTTP to HTTPS redirection, for eight hours on August 1, and for about 27 hours on August 18. In both, several reports of application crashes were obtained. In fact, the second test was scheduled to last 72 hours, but was shortened by “several complaints that the change was having an impact on production services«.

Those affected by the redirect tests noted that the change “broke” the code used to validate XML schemas, an optional but highly recommended step to ensure that XML data is generated properly. Versions of Microsoft’s Static Driver Verification tool also failed, apparently.

In fact, in the post in which W3C reports the results of the tests, it indicates that during the tests there were several people who complained that «was causing problems with their systems that make automated requests to our site. For example, when performing XML Schema validations. We hope that these systems can be upgraded to either follow redirection to https, or to use an XML catalog to keep local copies of all the files they need to avoid making unnecessary requests to our system.«.

Some of the applications cited by the commenters use Java components, such as the java-xml-validation package from the Java Development Kit (JDK) 11, or java.xml.validation.SchemaFactory from the Java Development Kit 8. These components , in turn, rely on software like Apache Xerces, a collection of open source XML management tools that is widely used in Java. Also from libxml2, an open source software library for XML parsing.

In the case of the latter, it already caused problems two years ago when requesting HTTPS compatibility. A year ago, Nick Wellnhofer, who maintains the project, turned down a request to add https, claiming the library doesn’t do that because “it is a bad idea to load resources on the network, for availability and performance«. Oskobony agrees, noting that “it’s good to be aware of any dependencies you may have on third-party sites. It is surprising that modern software that makes HTTPS requests does not have the ability to handle redirects or https. Please make sure your software is up to date, and report issues to the developers if necessary.«.

Just a few days ago another developer asked Wellnhofer to reconsider his decision on W3C’s abandonment of HTTP, because “it’s going to break a lot of tools that depend on libxml2, like lxml, and because although the developer agrees with him that “Internet schema validation is not efficient, it’s used a lot and the solutions to the problem don’t work very well«.

On this occasion, Wellnhofer has not refused, but has pointed out that to do it, someone has to lend himself to it, implement the function and support it in the coming years. Come on, he doesn’t want to know anything about it. Meanwhile, the W3C continues with its tests. The next one will last 48 hours and will start on September 1.

Photo: Fabio Lanari

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *