- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 04 Feb 2015 07:23:43 +0100
- To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
- CC: httpbis-chairs@tools.ietf.org, draft-ietf-httpbis-rfc7238bis@tools.ietf.org, ietf-http-wg@w3.org
On 2015-02-04 02:05, Kathleen Moriarty wrote: > Kathleen Moriarty has entered the following ballot position for > draft-ietf-httpbis-rfc7238bis-02: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-httpbis-rfc7238bis/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I have a question on the security considerations, since the session isn't > necessarily encrypted. > > Couldn't an attacker substitute the URI that the user gets permanently > redirected to a malicious site or a competitor, etc.? The security > considerations of RFC7231 are pretty thorough, but I didn't see mention > of using TLS to prevent session interception for this type of attack or > for the privacy protection section. > > If I missed something, please let me know where to look. > > Thank you. No, you didn't miss something. Also, what you say essentially means that permanent redirects couldn't be used over HTTP at all. If it's a concern for 307 it's a concern about 308 as well, in which case we should address it in a revision of RFC 7231. Best regards, Julian
Received on Wednesday, 4 February 2015 06:24:53 UTC