> What is a secure cookie? Handshaking plus encryption? A cookie that can only be sent to a site over a secure connection, presumably because it contains sensitive information.
> Is redirecting from a secure https://login.server to an unsecure > http://content.server a Bad Thing? If not, can anybody point me It confuses users by making them think they are talking to something secure when they are not (or generates lots of warnings about this). Any information sent to a non-secure site violates the no write down principle of security, i.e. any information held by a secure system should be treated as tainted by the secure information that it holds. This also applies to talking to you at all if it serves other people, so it has to be compromised for any realistic e-commerce system! Total dispensation from this principle requires a level of trust in the software that is not realistic for nearly all software, let alone e-commerce software. > to an RFC-like object that codifies the SHOULDs, MAYs and MUSTs > of the transaction? If not, is there a list concensus on > real-world conditions in this area? The web essentially ignores the existing RFC on cookies, still using a less secure Netscape standard. You can't really expect standards here - one is talking of good practice. There are a lot of dodgy things that happen with SSL; one gets sites that use a different domain name for their secure server, when the correlation of the domain name is the only indication that the insecure site you started with hasn't been hijacked by a man in the middle who is substituting their secure site for the real one. I believe Lynx is not safe against man in the middle attacks of the secure site, as it apparently doensn't authenticate the site. ; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to [EMAIL PROTECTED]
