Collin Jackson wrote on 11/8/2009 11:06 PM:
> On Sun, Nov 8, 2009 at 9:42 PM, Bil Corry <[email protected]> wrote:
>> How does the server identify the STS clients? If there isn't a way (which I
>> don't believe there is), then given the STS requirement that a server should
>> redirect from non-HTTPS to HTTPS, what does that mean for UAs that don't
>> understand STS -- does the best practice of not redirecting to HTTPS still
>> apply[2]?
>>
>> [2] OWASP: Rule - Do Not Perform Redirects from Non-TLS Page to TLS Login
>> Page
>>
>> http://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Do_Not_Perform_Redirects_from_Non-TLS_Page_to_TLS_Login_Page
>
> It seems like a stretch to call this a "best practice" since it is so
> rarely followed. What major web sites follow this practice?
I'm unattached to the label "best practice" -- consider my question changed to:
"Does OWASP's recommendation of not redirecting to HTTPS still apply?"
Andy did respond to the above question and the rest here:
http://www.webappsec.org/lists/websecurity/archive/2009-11/msg00008.html
- Bil
