RE: URL disambiguation from michael.mccormick@wellsfargo.com on 2008-03-04 (public-wsc-wg@w3.org from March 2008)

From: <michael.mccormick@wellsfargo.com>
Date: Tue, 4 Mar 2008 13:24:06 -0600
To: <Anil.Saldhana@redhat.com>, <ifette@google.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <9D471E876696BE4DA103E939AE64164DF3985D@msgswbmnmsp17.wellsfargo.com>

B-of-A should just put their whole web site under SSL like Wells Fargo
did. :) 

-----Original Message-----
From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org]
On Behalf Of Anil Saldhana
Sent: Tuesday, March 04, 2008 1:17 PM
To: Ian Fette
Cc: McCormick, Mike; public-wsc-wg@w3.org
Subject: Re: URL disambiguation


Additionally, it would be nice if the banks would accept my https url
(redirect to the http version if one does not exist). ;)

Try:
https://www.bankofamerica.com/giftcard  (404)
http://www.bankofamerica.com/giftcard


Ian Fette wrote:
> This seems bad to me. Specifically, trying HTTPS before HTTP is going 
> to be costly to some few number of sites. E.g. a ton of users just 
> type in google.com, yahoo.com, microsoft.com. For many of these use 
> cases, SSL is not appropriate. I understand the desire that for banks 
> it goes to https, but for the general web this is not a good thing 
> IMHO. What would be better is to say that if you're a banking site, 
> you should immediately redirect from http:// to https://. Trying to 
> move the whole web to https:// is very different, and is basically
what you propose.
> 
> On Tue, Mar 4, 2008 at 7:49 AM, <michael.mccormick@wellsfargo.com>
wrote:
> 
>>  *http://no-www.org/* <http://no-www.org/>
>> *http://yes-www.org/* <http://yes-www.org/>
>>
>> No doubt most of you are familiar with these web sites, and with the 
>> arguments for and against requiring host names in URLs.
>>
>> Most browsers seem to make it a moot point by accepting both forms of

>> URL.  If I type "example.com" into my browser it takes me to *
>> http://www.example.com* <http://www.example.com>.  The agent is 
>> letting me be lazy and skip typing the protocol (*http://*) or 
>> hostname (*www.*) portions of my destination address.
>>
>> The process of URL disambiguation, whereby the UA attempts to guess 
>> parts of the address the user has omitted, should be standardized for

>> both security & experience reasons:
>>
>> [protocol://][host.][domain][.TLD][:port][/[path]][?query]
>>
>>  - If protocol omitted, UA must try https before http.  (Always 
>> prefer a TLS protected destination.)
>>
>>  - If host omitted, and protocol is http(s), UA may try the host name

>> "www" in the target domain if it has a DNS record, unless the agent 
>> is in SBM mode.
>>
>>  - etc.
>>
>> *Michael McCormick, CISSP*
>> Lead Security Architect, Information Security Technologies Wells 
>> Fargo Bank "THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY 
>> THOSE OF WELLS FARGO"
>> *This message may contain confidential and/or privileged information.

>> If you are not the addressee or authorized to receive this for the 
>> addressee, you must not use, copy, disclose, or take any action based

>> on this message or any information herein.  If you have received this

>> message in error, please advise the sender immediately by reply 
>> e-mail and delete this message.  Thank you for your cooperation.*
>>
> 

--
Anil Saldhana
Project/Technical Lead,
JBoss Security & Identity Management
JBoss, A division of Red Hat Inc.
http://labs.jboss.com/portal/jbosssecurity/

Received on Tuesday, 4 March 2008 19:25:58 UTC