Re: URL disambiguation from Anil Saldhana on 2008-03-04 (public-wsc-wg@w3.org from March 2008)

From: Anil Saldhana <Anil.Saldhana@redhat.com>
Date: Tue, 04 Mar 2008 13:17:23 -0600
To: Ian Fette <ifette@google.com>
CC: michael.mccormick@wellsfargo.com, public-wsc-wg@w3.org
Message-ID: <47CDA043.6050204@redhat.com>

Additionally, it would be nice if the banks would accept my https url 
(redirect to the http version if one does not exist). ;)

Try:
https://www.bankofamerica.com/giftcard  (404)
http://www.bankofamerica.com/giftcard


Ian Fette wrote:
> This seems bad to me. Specifically, trying HTTPS before HTTP is going to be
> costly to some few number of sites. E.g. a ton of users just type in
> google.com, yahoo.com, microsoft.com. For many of these use cases, SSL is
> not appropriate. I understand the desire that for banks it goes to https,
> but for the general web this is not a good thing IMHO. What would be better
> is to say that if you're a banking site, you should immediately redirect
> from http:// to https://. Trying to move the whole web to https:// is very
> different, and is basically what you propose.
> 
> On Tue, Mar 4, 2008 at 7:49 AM, <michael.mccormick@wellsfargo.com> wrote:
> 
>>  *http://no-www.org/* <http://no-www.org/>
>> *http://yes-www.org/* <http://yes-www.org/>
>>
>> No doubt most of you are familiar with these web sites, and with the
>> arguments for and against requiring host names in URLs.
>>
>> Most browsers seem to make it a moot point by accepting both forms of
>> URL.  If I type "example.com" into my browser it takes me to *
>> http://www.example.com* <http://www.example.com>.  The agent is letting me
>> be lazy and skip typing the protocol (*http://*) or hostname (*www.*)
>> portions of my destination address.
>>
>> The process of URL disambiguation, whereby the UA attempts to guess parts
>> of the address the user has omitted, should be standardized for both
>> security & experience reasons:
>>
>> [protocol://][host.][domain][.TLD][:port][/[path]][?query]
>>
>>  - If protocol omitted, UA must try https before http.  (Always prefer a
>> TLS protected destination.)
>>
>>  - If host omitted, and protocol is http(s), UA may try the host name
>> "www" in the target domain if it has a DNS record, unless the agent is in
>> SBM mode.
>>
>>  - etc.
>>
>> *Michael McCormick, CISSP*
>> Lead Security Architect, Information Security Technologies
>> Wells Fargo Bank
>> "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS
>> FARGO"
>> *This message may contain confidential and/or privileged information.  If
>> you are not the addressee or authorized to receive this for the addressee,
>> you must not use, copy, disclose, or take any action based on this message
>> or any information herein.  If you have received this message in error,
>> please advise the sender immediately by reply e-mail and delete this
>> message.  Thank you for your cooperation.*
>>
> 

-- 
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/

Received on Tuesday, 4 March 2008 19:17:53 UTC