On Fri, 7 Nov 2003, Merton Campbell Crockett wrote:
> It's only sent accross the Internet to the client in encrypted form. Now,
> that doesn't mean in won't be slow as each http request will be redirected
> to the https port. But the content won't be retrieved from the internal
> server except when an https request is made.
Most often it is the client->server data you want to protect most, as this
may contain login information, session keys, credit card numbers etc. if
the client continously connects first using http and then being told by
the server to use https then there is no protection of the client->server
data allowing for a wide variety of attacks.
> You could return a permanently moved status to the http request. If you're
> lucky, the browser will "remember" this and translate all http requests to
> https requests.
Unfortunately not very effective.. these redirects act on specific URLs
only, including the full query string.
It should also be noted that the warning you get when trying to access a
http:// URL from a page loaded via https:// is a very valid warning.
http:// does not provide any protection of sensitive information or
authentication of the server. As soon as you leave the https:// session
you are basically on your own wrt security and a determined cracker will
have little problem hijacking your session.
Regards
Henrik
Received on Fri Nov 07 2003 - 11:48:00 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:11 MST