On Tuesday, February 19, 2013 at 8:35 AM, Giovanni Bajo wrote: > We have two different kind of users: > 1) Browsers > 2) Tools > > For browsers, yes, redirect would be useful. For tools, not so much (in fact, > it can give false security feeling). This is also why I was proposing to > apply for Chromium and Mozilla whitelists once HSTS is properly deployed > (max-age > 6 months is needed to apply). > > I would be OK with redirecting for browsers (matching the user agent for > instance), but I would try to disable for tools as much as possible. The redirect only occurs on GET/HEAD, either the tools are using POST and won't be affected, or they're using GET and the stdlib should handle the redirect automatically. Even without verification of a SSL cert you still get some protection from passive attacks.
I also reject the idea that it will give a false security feeling as most people won't even realize they are being redirected to SSL in a tool.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
