On Thu, 3 Aug 2000, Philip Mak wrote:
> On Thu, 3 Aug 2000, Stas Bekman wrote:
>
> > > use Apache::URI ();
> > > $r->parsed_uri->scheme;
> > >
> > > returns http or https
> >
> > Not really, you can spoof both:
>
> Does the user have to spoof it deliberately in order for the wrong one to
> be detected?
>
> If spoofing requires the user to do it on purpose, then in this case the
> $r->parsed_uri->scheme should be sufficient. The other method (putting
> HTTPS on a different port and using mod_rewrite to make it transparent) is
> better of course, but in case you can't do it for some reason, I think
> this will work too.
>
> They don't gain anything by spoofing http/https deliberately; it just
> makes their connection not secure.
Not really. Of course this is not a thing happening to you every day, but
someone can intercept the connection and spoof it for server as a secure,
while in fact Eve (the interceptor's name that usually used in crypto
docs, next to Alice and Bob) intercepts all the connections making the
user submitting information in insecure way. Think about banking... So
checking for the scheme would be Ok in 99.99999% cases, if you don't care
about the one that might be spoofed.
_____________________________________________________________________
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://perl.org http://stason.org/TULARC
http://singlesheaven.com http://perlmonth.com http://sourcegarden.org
