Il giorno 19/feb/2013, alle ore 14:43, Donald Stufft <donald.stu...@gmail.com> ha scritto:
> On Tuesday, February 19, 2013 at 8:35 AM, Giovanni Bajo wrote: >> We have two different kind of users: >> 1) Browsers >> 2) Tools >> >> For browsers, yes, redirect would be useful. For tools, not so much (in >> fact, it can give false security feeling). This is also why I was proposing >> to apply for Chromium and Mozilla whitelists once HSTS is properly deployed >> (max-age > 6 months is needed to apply). >> >> I would be OK with redirecting for browsers (matching the user agent for >> instance), but I would try to disable for tools as much as possible. > The redirect only occurs on GET/HEAD, either the tools are using POST and > won't be affected, > or they're using GET and the stdlib should handle the redirect automatically. > Even without verification > of a SSL cert you still get some protection from passive attacks. Passwords are transmitted in POST that don't get redirected. What kind of passive attacks are you thinking of? > I also reject the idea that it will give a false security feeling as most > people won't > even realize they are being redirected to SSL in a tool. I'm thinking of installation tools that print the current URL on the console, like pip and easy_install do. -- Giovanni Bajo :: ra...@develer.com Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
