RE: URL disambiguation from michael.mccormick@wellsfargo.com on 2008-03-04 (public-wsc-wg@w3.org from March 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 4 Mar 2008 13:18:26 -0600
To: <ifette@google.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164DF39851@msgswbmnmsp17.wellsfargo.com>

That's a fair comment, definitely worth discussing.  But I do think this
is a topic WSC should address.  Current UA behavior seems to vary quite
a bit, perhaps due to lack of a standard.

  _____  

From: Ian Fette [mailto:ifette@google.com] 
Sent: Tuesday, March 04, 2008 1:13 PM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: Re: URL disambiguation

This seems bad to me. Specifically, trying HTTPS before HTTP is going to
be costly to some few number of sites. E.g. a ton of users just type in
google.com, yahoo.com, microsoft.com. For many of these use cases, SSL
is not appropriate. I understand the desire that for banks it goes to
https, but for the general web this is not a good thing IMHO. What would
be better is to say that if you're a banking site, you should
immediately redirect from http:// to https://. Trying to move the whole
web to https:// is very different, and is basically what you propose. 

On Tue, Mar 4, 2008 at 7:49 AM, <michael.mccormick@wellsfargo.com>
wrote:

	http://no-www.org/ <http://no-www.org/>  
	http://yes-www.org/ <http://yes-www.org/>  

	No doubt most of you are familiar with these web sites, and with
the arguments for and against requiring host names in URLs.

	Most browsers seem to make it a moot point by accepting both
forms of URL.  If I type "example.com" into my browser it takes me to
http://www.example.com <http://www.example.com> .  The agent is letting
me be lazy and skip typing the protocol (http://) or hostname (www.)
portions of my destination address.

	The process of URL disambiguation, whereby the UA attempts to
guess parts of the address the user has omitted, should be standardized
for both security & experience reasons:

	[protocol://][host.][domain][.TLD][:port][/[path]][?query] 

	 - If protocol omitted, UA must try https before http.  (Always
prefer a TLS protected destination.) 

	 - If host omitted, and protocol is http(s), UA may try the host
name "www" in the target domain if it has a DNS record, unless the agent
is in SBM mode.

	 - etc. 

	Michael McCormick, CISSP 
	Lead Security Architect, Information Security Technologies 
	Wells Fargo Bank 
	"THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF
WELLS FARGO" 
	This message may contain confidential and/or privileged
information.  If you are not the addressee or authorized to receive this
for the addressee, you must not use, copy, disclose, or take any action
based on this message or any information herein.  If you have received
this message in error, please advise the sender immediately by reply
e-mail and delete this message.  Thank you for your cooperation.

Received on Tuesday, 4 March 2008 19:19:10 UTC