- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 04 Feb 2015 15:00:07 +0100
- To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Ted Lemon <Ted.Lemon@nominum.com>
- CC: Julian Reschke <julian.reschke@gmx.de>, "httpbis-chairs@tools.ietf.org" <httpbis-chairs@tools.ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-httpbis-rfc7238bis@tools.ietf.org, HTTP Working Group <ietf-http-wg@w3.org>
On 2015-02-04 14:53, Kathleen Moriarty wrote: > Hi Julian, > > Thanks for your quick response. My intent wasn't to hold this up, > although the thought of eliminating vulnerabilities that could be > sources of compromise is really attractive having managed incident > response teams. :-) > > Yes, I agree this also applies to redirects and that would require an > update to RFC7231. For this, could you write text to strongly > recommend use of TLS with this feature explaining the hazards? Updating RFC 7231 requires consensus in the WG (and in the IETF, for that matter). I also don't believe we have consensus for a recommendation not to use permanent redirects on HTTP. We *could* point out the problem, but then, there are so many other similar problems applicable to non-encrypted HTTP that I really don't see why this one deserves to be called specifically. > ... Best regards, Julian
Received on Wednesday, 4 February 2015 14:01:19 UTC