W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2009

Re: fyi: Strict Transport Security specification

From: Collin Jackson <collin.jackson@sv.cmu.edu>
Date: Sun, 8 Nov 2009 23:06:26 -0800
Message-ID: <347061de0911082306h23a4754eo490167e5a14214b5@mail.gmail.com>
To: Bil Corry <bil@corry.biz>
Cc: "Hodges, Jeff" <jeff.hodges@paypal.com>, public-webapps@w3.org, abarth@eecs.berkeley.edu, Andy Steingruebl <steingra@gmail.com>
On Sun, Nov 8, 2009 at 9:42 PM, Bil Corry <bil@corry.biz> wrote:
> How does the server identify the STS clients?  If there isn't a way (which I don't believe there is), then given the STS requirement that a server should redirect from non-HTTPS to HTTPS, what does that mean for UAs that don't understand STS -- does the best practice of not redirecting to HTTPS still apply[2]?
>
> [2] OWASP: Rule - Do Not Perform Redirects from Non-TLS Page to TLS Login Page
>    http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page

It seems like a stretch to call this a "best practice" since it is so
rarely followed. What major web sites follow this practice?
Received on Monday, 9 November 2009 14:59:51 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:35 GMT