- From: Barry Leiba <barryleiba@computer.org>
- Date: Wed, 4 Feb 2015 09:35:26 -0500
- To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, draft-ietf-httpbis-rfc7238bis@tools.ietf.org, "httpbis-chairs@tools.ietf.org" <httpbis-chairs@tools.ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, The IESG <iesg@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>
>>> I would not object, and I think it would be a good idea, to include a >>> very short paragraph that goes something like this: >>> >>> << Unsecured http is always subject to redirect attacks, in that a >>> "man in the middle" can replace any http response with a redirect >>> (such as to a malicious site or one benefiting the attacker). Such an >>> attack can use "permanent" redirect codes (301 or 308) to convince >>> clients or proxies to cache the malicious information. Secured https >>> is not subject to these sorts of attacks. >> > > Thanks, Barry. That's what I was looking to see and think it will be helpful. Great; and, as Julian has accepted that, feel free to clear the DISCUSS, and he and I will make sure it get into the next revision. Barry
Received on Wednesday, 4 February 2015 14:35:54 UTC