- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 04 Feb 2015 14:16:26 +0100
- To: Ted Lemon <Ted.Lemon@nominum.com>
- CC: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, httpbis-chairs@tools.ietf.org, ietf-http-wg@w3.org, draft-ietf-httpbis-rfc7238bis@tools.ietf.org
On 2015-02-04 14:06, Ted Lemon wrote: > On Feb 3, 2015, at 11:23 PM, Julian Reschke <julian.reschke@gmx.de> wrote: >> No, you didn't miss something. Also, what you say essentially means that permanent redirects couldn't be used over HTTP at all. >> >> If it's a concern for 307 it's a concern about 308 as well, in which case we should address it in a revision of RFC 7231. > > It is perhaps worth pointing out that a permanent redirect only applies to the specific URL that was queried, if I understand it correctly. So an http:// URL is never secure, and always vulnerable to an MITM attack using the permanent redirect. But an otherwise identical https:// URL would not be covered by the redirect. That's true for any redirect. > And also, AFAIK, a permanent redirect is more for caches and robots than for browsers, isn't it? I.e., my copy of Chrome isn't going to remember a redirect forever? I wouldn't say it's "more" for these. But yes, it's likely that different components have different ideas about what "permanent" means. Best regards, Julian
Received on Wednesday, 4 February 2015 13:17:39 UTC