- From: Bil Corry <bil@corry.biz>
- Date: Mon, 09 Nov 2009 23:14:21 -0800
- To: Collin Jackson <collin.jackson@sv.cmu.edu>
- CC: "Hodges, Jeff" <jeff.hodges@paypal.com>, public-webapps@w3.org, abarth@eecs.berkeley.edu, Andy Steingruebl <steingra@gmail.com>
Collin Jackson wrote on 11/8/2009 11:06 PM: > On Sun, Nov 8, 2009 at 9:42 PM, Bil Corry <bil@corry.biz> wrote: >> How does the server identify the STS clients? If there isn't a way (which I don't believe there is), then given the STS requirement that a server should redirect from non-HTTPS to HTTPS, what does that mean for UAs that don't understand STS -- does the best practice of not redirecting to HTTPS still apply[2]? >> >> [2] OWASP: Rule - Do Not Perform Redirects from Non-TLS Page to TLS Login Page >> http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page > > It seems like a stretch to call this a "best practice" since it is so > rarely followed. What major web sites follow this practice? I'm unattached to the label "best practice" -- consider my question changed to: "Does OWASP's recommendation of not redirecting to HTTPS still apply?" Andy did respond to the above question and the rest here: http://www.webappsec.org/lists/websecurity/archive/2009-11/msg00008.html - Bil
Received on Tuesday, 10 November 2009 07:24:49 UTC