On Thu, 9 Jan 2003, Schnitzer, Jeff wrote:
> Date: Thu, 9 Jan 2003 18:39:34 -0800 > From: "Schnitzer, Jeff" <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: RE: HTTPS to HTTP > > > From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > > > > If you're going to switch from https->http, you are totally wasting > your > > time messing with https in the first place. It buys you nothing > except a > > *perception* that you are more secure -- that is not the reality. > > You keep repeating this over and over as if it's some sort of Absolute > Truth. It's not. As long as you require reauthentication whenever you > make the transition to the secure (https) portions of your webapp, there > is nothing magically insecure about sending your users back to plain old > http when they're navigating the boring parts. > There are two problems with this, based on listening to this mailing list for the last five years: * The most common use case for wanting HTTPS->HTTP is to let you log on with HTTPS "so your password does not go across the Internet unencrypted", but run the rest of the application on HTTP. Having to reauthenticate again means they don't get what they thought they wanted. * Reauthentication happens in cleartext again, right? So it's subject to snooping and forgery just the same as if you had never bothered with SSL in the first place. Another way to say what you propose is "run the post-SSL stuff on a separate session id, so you don't expose the secure session id to attack". That would be fine, but it basically ignores why the large majority of people want to do this in the first place. > It's not rocket science, and people build webapps that do this all the > time. Just not with Tomcat. None of the concerns about HTTPS->HTTP are specific to Tomcat, or even to Java-based web servers. They are fundamental to the nature of the way HTTP and HTTPS work. > > Jeff Schnitzer Craig > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
