W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Kathleen Moriarty's Discuss on draft-ietf-httpbis-rfc7238bis-02: (with DISCUSS)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 04 Feb 2015 14:16:26 +0100
Message-ID: <54D21BAA.6000600@gmx.de>
To: Ted Lemon <Ted.Lemon@nominum.com>
CC: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>, httpbis-chairs@tools.ietf.org, ietf-http-wg@w3.org, draft-ietf-httpbis-rfc7238bis@tools.ietf.org
On 2015-02-04 14:06, Ted Lemon wrote:
> On Feb 3, 2015, at 11:23 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
>> No, you didn't miss something. Also, what you say essentially means that permanent redirects couldn't be used over HTTP at all.
>>
>> If it's a concern for 307 it's a concern about 308 as well, in which case we should address it in a revision of RFC 7231.
>
> It is perhaps worth pointing out that a permanent redirect only applies to the specific URL that was queried, if I understand it correctly.   So an http:// URL is never secure, and always vulnerable to an MITM attack using the permanent redirect.   But an otherwise identical https:// URL would not be covered by the redirect.

That's true for any redirect.

> And also, AFAIK, a permanent redirect is more for caches and robots than for browsers, isn't it?   I.e., my copy of Chrome isn't going to remember a redirect forever?

I wouldn't say it's "more" for these. But yes, it's likely that 
different components have different ideas about what "permanent" means.

Best regards, Julian
Received on Wednesday, 4 February 2015 13:17:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC