- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 29 Dec 2011 19:55:41 -0800
- To: Mark Nottingham <mnot@mnot.net>
- Cc: Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>, Adrien de Croy <adrien@qbik.com>
On Dec 29, 2011, at 4:44 PM, Mark Nottingham wrote: > SHOULD affects conformance. At most, I think we'd add something to the security considerations saying that proxies "ought to" or "are encouraged to." FWIW, I consider it to be a security hole for any user agent to automatically change the configured proxy authority. If the user/org wants to connect via TLS, then the user/org should configure the proxy with an https URI. There is no guarantee that a proxy on port 443 is controlled by the same org as the one on port 80. OTOH, the spec already allows communication on port 80 to be Upgraded to TLS. No changes are necessary to support that. ....Roy
Received on Friday, 30 December 2011 03:56:41 UTC