On Tuesday, February 19, 2013 at 8:23 AM, Giovanni Bajo wrote: > What is the benefits of redirects? I think they just hide potential problems, > and they still can be exploited by MITM through ssl-stripping. Plus, they > cause breakage and/or UX problems in existing tools. > >
If you do not redirect users to HTTPS you cannot set HSTS until they manually visit a HTTPS url. The redirect allows an easy way to force everyone to visit a HTTPS url immediately upon navigating to PyPI. > > > Given that they give basically no security, I would suggest their removal > until we fix all important issues in all third-party tools. For browsers, > since you can still serve HSTS headers even without redirects, we can get it > included in Chrome and Firefox builtin HSTS list. HSTS can only be sent within a HTTPS response w/ a Valid SSL certificate, to allow otherwise would allow MITM to effectively prevent a user from visiting a site.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
