W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Kathleen Moriarty's Discuss on draft-ietf-httpbis-rfc7238bis-02: (with DISCUSS)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 04 Feb 2015 07:23:43 +0100
Message-ID: <54D1BAEF.7040806@gmx.de>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: httpbis-chairs@tools.ietf.org, draft-ietf-httpbis-rfc7238bis@tools.ietf.org, ietf-http-wg@w3.org
On 2015-02-04 02:05, Kathleen Moriarty wrote:
> Kathleen Moriarty has entered the following ballot position for
> draft-ietf-httpbis-rfc7238bis-02: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> http://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc7238bis/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> I have a question on the security considerations, since the session isn't
> necessarily encrypted.
>
> Couldn't an attacker substitute the URI that the user gets permanently
> redirected to a malicious site or a competitor, etc.?  The security
> considerations of RFC7231 are pretty thorough, but I didn't see mention
> of using TLS to prevent session interception for this type of attack or
> for the privacy protection section.
>
> If I missed something, please let me know where to look.
>
> Thank you.

No, you didn't miss something. Also, what you say essentially means that 
permanent redirects couldn't be used over HTTP at all.

If it's a concern for 307 it's a concern about 308 as well, in which 
case we should address it in a revision of RFC 7231.

Best regards, Julian
Received on Wednesday, 4 February 2015 06:24:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC