Aren't those RFC docs amazing ? Reading up on standards ?
I needed plenty of time for them, as I encountered some interesting issues. As it turned out, some websites / loadbalancers are overly optimistic in encrypting all the things - actually, in redirecting all the things.
Never trust HTTP(s) clients, and be careful when setting up redirection rules. A non-RFC compliant client can trigger a (difficult to exploit) open redirect vulnerability, due to a non-RFC compliant server.
This vulnerability can be tested using
analyze_hosts.py --http TARGET
See https://github.com/PeterMosmans/security-scripts/ for the latest version of analyze_hosts.py
Be warned, long post ahead: A while ago I came across some servers that, when being sent insecure requests, responded with a redirect to the secure version.
% curl -sI http://VICTIM/
HTTP/1.1 301 Moved Permanently Connection: close Location: https://VICTIM/
So far so good, nothing fancy going on here. In fact, this is excellent behaviour. Insecure requests are immediately upgraded to secure requests.
However, the server seemed to be overly happy in redirecting, as it listened to the client-supplied Host parameter:
% curl -s -I -H "Host: MALICIOUS" http://VICTIM/
And the server responded by