On Fri, 7 Nov 2003, Merton Campbell Crockett wrote: > It's only sent accross the Internet to the client in encrypted form. Now, > that doesn't mean in won't be slow as each http request will be redirected > to the https port. But the content won't be retrieved from the internal > server except when an https request is made.
Most often it is the client->server data you want to protect most, as this may contain login information, session keys, credit card numbers etc. if the client continously connects first using http and then being told by the server to use https then there is no protection of the client->server data allowing for a wide variety of attacks. > You could return a permanently moved status to the http request. If you're > lucky, the browser will "remember" this and translate all http requests to > https requests. Unfortunately not very effective.. these redirects act on specific URLs only, including the full query string. It should also be noted that the warning you get when trying to access a http:// URL from a page loaded via https:// is a very valid warning. http:// does not provide any protection of sensitive information or authentication of the server. As soon as you leave the https:// session you are basically on your own wrt security and a determined cracker will have little problem hijacking your session. Regards Henrik
