Il giorno 19/feb/2013, alle ore 14:27, Donald Stufft <donald.stu...@gmail.com> ha scritto:
> On Tuesday, February 19, 2013 at 8:23 AM, Giovanni Bajo wrote: >> What is the benefits of redirects? I think they just hide potential >> problems, and they still can be exploited by MITM through ssl-stripping. >> Plus, they cause breakage and/or UX problems in existing tools. > If you do not redirect users to HTTPS you cannot set HSTS until they > manually visit a HTTPS url. The redirect allows an easy way to force > everyone to visit a HTTPS url immediately upon navigating to PyPI. We have two different kind of users: 1) Browsers 2) Tools For browsers, yes, redirect would be useful. For tools, not so much (in fact, it can give false security feeling). This is also why I was proposing to apply for Chromium and Mozilla whitelists once HSTS is properly deployed (max-age > 6 months is needed to apply). I would be OK with redirecting for browsers (matching the user agent for instance), but I would try to disable for tools as much as possible. >> Given that they give basically no security, I would suggest their removal >> until we fix all important issues in all third-party tools. For browsers, >> since you can still serve HSTS headers even without redirects, we can get it >> included in Chrome and Firefox builtin HSTS list. > HSTS can only be sent within a HTTPS response w/ a Valid SSL certificate, to > allow otherwise would allow MITM to effectively prevent a user from visiting > a site. If we get included in those whitelist, we technically won't need redirects (though it wouldn't hard to leave them in). -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
