Re: Kathleen Moriarty's Discuss on draft-ietf-httpbis-rfc7238bis-02: (with DISCUSS)

>>> I would not object, and I think it would be a good idea, to include a
>>> very short paragraph that goes something like this:
>>> << Unsecured http is always subject to redirect attacks, in that a
>>> "man in the middle" can replace any http response with a redirect
>>> (such as to a malicious site or one benefiting the attacker).  Such an
>>> attack can use "permanent" redirect codes (301 or 308) to convince
>>> clients or proxies to cache the malicious information.  Secured https
>>> is not subject to these sorts of attacks. >>
> Thanks, Barry.  That's what I was looking to see and think it will be helpful.

Great; and, as Julian has accepted that, feel free to clear the
DISCUSS, and he and I will make sure it get into the next revision.


Received on Wednesday, 4 February 2015 14:35:54 UTC