W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Kathleen Moriarty's Discuss on draft-ietf-httpbis-rfc7238bis-02: (with DISCUSS)

From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 4 Feb 2015 09:35:26 -0500
Message-ID: <CALaySJJD9=Ah5gaKtkc0qoeL=0QCOXRaYYKr6CebeGyV+=PfNw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, draft-ietf-httpbis-rfc7238bis@tools.ietf.org, "httpbis-chairs@tools.ietf.org" <httpbis-chairs@tools.ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, The IESG <iesg@ietf.org>, Ted Lemon <Ted.Lemon@nominum.com>
>>> I would not object, and I think it would be a good idea, to include a
>>> very short paragraph that goes something like this:
>>>
>>> << Unsecured http is always subject to redirect attacks, in that a
>>> "man in the middle" can replace any http response with a redirect
>>> (such as to a malicious site or one benefiting the attacker).  Such an
>>> attack can use "permanent" redirect codes (301 or 308) to convince
>>> clients or proxies to cache the malicious information.  Secured https
>>> is not subject to these sorts of attacks. >>
>
> Thanks, Barry.  That's what I was looking to see and think it will be helpful.

Great; and, as Julian has accepted that, feel free to clear the
DISCUSS, and he and I will make sure it get into the next revision.

Barry
Received on Wednesday, 4 February 2015 14:35:54 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:36 UTC