Re: URL disambiguation from Ian Fette on 2008-03-04 (public-wsc-wg@w3.org from March 2008)

From: Ian Fette <ifette@google.com>
Date: Tue, 4 Mar 2008 11:13:02 -0800
To: michael.mccormick@wellsfargo.com
Cc: public-wsc-wg@w3.org
Message-ID: <bbeaa26f0803041113p2fdd5711t4bcd8bfe96c9a10c@mail.gmail.com>

This seems bad to me. Specifically, trying HTTPS before HTTP is going to be
costly to some few number of sites. E.g. a ton of users just type in
google.com, yahoo.com, microsoft.com. For many of these use cases, SSL is
not appropriate. I understand the desire that for banks it goes to https,
but for the general web this is not a good thing IMHO. What would be better
is to say that if you're a banking site, you should immediately redirect
from http:// to https://. Trying to move the whole web to https:// is very
different, and is basically what you propose.

On Tue, Mar 4, 2008 at 7:49 AM, <michael.mccormick@wellsfargo.com> wrote:

>  *http://no-www.org/* <http://no-www.org/>
> *http://yes-www.org/* <http://yes-www.org/>
>
> No doubt most of you are familiar with these web sites, and with the
> arguments for and against requiring host names in URLs.
>
> Most browsers seem to make it a moot point by accepting both forms of
> URL.  If I type "example.com" into my browser it takes me to *
> http://www.example.com* <http://www.example.com>.  The agent is letting me
> be lazy and skip typing the protocol (*http://*) or hostname (*www.*)
> portions of my destination address.
>
> The process of URL disambiguation, whereby the UA attempts to guess parts
> of the address the user has omitted, should be standardized for both
> security & experience reasons:
>
> [protocol://][host.][domain][.TLD][:port][/[path]][?query]
>
>  - If protocol omitted, UA must try https before http.  (Always prefer a
> TLS protected destination.)
>
>  - If host omitted, and protocol is http(s), UA may try the host name
> "www" in the target domain if it has a DNS record, unless the agent is in
> SBM mode.
>
>  - etc.
>
> *Michael McCormick, CISSP*
> Lead Security Architect, Information Security Technologies
> Wells Fargo Bank
> "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS
> FARGO"
> *This message may contain confidential and/or privileged information.  If
> you are not the addressee or authorized to receive this for the addressee,
> you must not use, copy, disclose, or take any action based on this message
> or any information herein.  If you have received this message in error,
> please advise the sender immediately by reply e-mail and delete this
> message.  Thank you for your cooperation.*
>

Received on Tuesday, 4 March 2008 19:13:44 UTC