Hi Gary, US is good! No visa yet, but I'm doing bits and pieces of remote work.
Taco, Gary Menzel and anyone else who's curious. For a reasonably concise and complete explanation of the SSL process the NIST Securing Webservers pdf document is pretty hard to beat. http://www.phaos.com/resources/PP-SecuringWebServers-RFC.pdf Look at section 6.5 - round about page 48 onwards. Spike. p.s. Anyone who needs some remote development just fire me an email off list. >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >G A R Y C R O U C H [ A I T ] >Sent: Tuesday, April 20, 2004 3:13 PM >To: CFAussie Mailing List >Subject: [cfaussie] Re: [OT] SSL > >Hi Spike! Hows the US? Got your Visa Yet? > >Your correct, the browser "should" not send any data or even a >HTTP packet at all, if the TLS connection could not be made. >The point is this is TCP/IP stuff it sitts bellow anything >that we normaly play with probably below the browser as well. >TCP/IP Packets >carry the HTTP packet which in turn carries the form data. > >For more reading: http://www.ietf.org/ > >Gary > >----- Original Message ----- >From: "Stephen Milligan" <[EMAIL PROTECTED]> >To: "CFAussie Mailing List" <[EMAIL PROTECTED]> >Sent: Wednesday, April 21, 2004 9:01 AM >Subject: [cfaussie] Re: [OT] SSL > > >> Just to be clear, >> >> My understanding has been that you don't need to secure the >form from >> a security point of view. You need to secure it from a user >confidence >> point of view. >> >> Regardless of whether the form is encrypted or not, as long as the >> action page uses SSL no-one can snoop on the data being sent >across the wire. >> >> The only other compelling reason I can think of to use SSL for the >> form >page >> is because you then know that a secure session can be established >> before >you >> try to send any sensitive data across the wire. I don't know enough >> about it, but I'd expect that if the browser couldn't establish as >> secure connection to the server it would not attempt to send >anything. >> That's relying on the implementation of the web browser though which >> might not be the best thing. >> >> Spike >> >> >-----Original Message----- >> >From: [EMAIL PROTECTED] >> >[mailto:[EMAIL PROTECTED] On Behalf >Of G A R >> >Y C R O U C H [ A I T ] >> >Sent: Tuesday, April 20, 2004 2:51 PM >> >To: CFAussie Mailing List >> >Subject: [cfaussie] Re: [OT] SSL >> > >> >OK, having writen an paper last year on SSL or we should be calling >> >it by its new name TLS (Transport Layer Security). I can >comment with >> >some confidence on this. >> > >> >Taco; You are correct. ill explain why. >> > >> >When the user submits the page with the form the first thing that >> >happens down inside the TCP/IP stack (in the TRANSPORT layer for >> >thoughts that want to know) SSL/TLS is turned on, this is when the >> >client and host computers are hand-shaking, before the HTTP packet >> >has been sent ove the connection. >> >after the SSL / TLS connection has been made the HTTP >packet will be >> >delivered using the secured connection. just as the same as doing a >> ><chhttp> to a https:// connection with post-form data. >> > >> >Point is we always secure the form as well to give the user >> >confidence that the information is over a secure connection. >> > >> >Hope this is understandable. >> > >> >----- Original Message ----- >> >From: "Taco Fleur" <[EMAIL PROTECTED]> >> >To: "CFAussie Mailing List" <[EMAIL PROTECTED]> >> >Sent: Wednesday, April 21, 2004 8:04 AM >> >Subject: [cfaussie] Re: [OT] SSL >> > >> > >> >That's what I thought, but I have several people telling me >> >otherwise, can you really confirm this? i.e. are you certain? >> > >> >Cheers. >> > >> >-----Original Message----- >> >From: Gary Menzel [mailto:[EMAIL PROTECTED] >> >Sent: Wednesday, 21 April 2004 8:02 AM >> >To: CFAussie Mailing List >> >Subject: [cfaussie] Re: [OT] SSL >> > >> > >> >> I could be totally wrong here, but I was under the >> >impression that for >> >> a >> >form to be secure it had to be posted from within SSL, >> >> but I have been hearing that I am wrong, and that even if its >> >> posted >> >from outside SSL to SSL the connection is secure. Could >> >> someone confirm one or the other? >> > >> >It is my understanding that the form itself MUST be already in SSL >> >for the process to be secure. >> > >> >Again, the story goes that it is that both the pages >involved must be >> >under SSL. >> > >> > >> >Gary Menzel >> >Web Development Manager >> >IT Operations Brisbane -+- ABN AMRO Morgans Limited Level 29, >> >123 Eagle Street BRISBANE QLD 4000 >> >PH: 07 333 44 828 FX: 07 3834 0828 >> > >> > >> > >> >To unsubscribe from this email please forward this email to: >> >[EMAIL PROTECTED] >> > >> >If this communication is not intended for you and you are not an >> >authorised recipient of this email you are prohibited by law from >> >dealing with or relying on the email or any file attachments. This >> >prohibition includes reading, printing, copying, re-transmitting, >> >disseminating, storing or in any other way dealing or acting in >> >reliance on the information. >> >If you have received this email in error, we request you >contact ABN >> >AMRO Morgans Limited immediately by returning the email to >> >[EMAIL PROTECTED] and destroy the original. >> >We will refund any reasonable costs associated with notifying ABN >> >AMRO Morgans. This email is confidential and may contain privileged >> >client information. ABN AMRO Morgans has taken reasonable steps to >> >ensure the accuracy and integrity of all its communications, >> >including electronic communications, but accepts no liability for >> >materials transmitted. Materials may also be transmitted >without the >> >knowledge of ABN AMRO Morgans. >> > ABN AMRO Morgans Limited its directors and employees do not accept >> >liability for the results of any actions taken or not on >the basis of >> >the information in this report. ABN AMRO Morgans Limited and its >> >associates hold or may hold securities in the companies/trusts >> >mentioned herein. Any recommendation is made on the basis of our >> >research of the investment and may not suit the specific >requirements >> >of clients. Assessments of suitability to an individual?s >portfolio >> >can only be made after an examination of the particular client?s >> >investments, financial circumstances and requirements. >> >ABN AMRO Morgans Limited (ABN 49 010 669 726 AFSL 235410) A >> >Participant of ASX Group >> > >> > >> >--- >> >You are currently subscribed to cfaussie as: >> >[EMAIL PROTECTED] To unsubscribe send a blank email to >> >[EMAIL PROTECTED] >> > >> >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >> >http://www.mxdu.com/ + 24-25 February, 2004 >> > >> >--- >> >You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To >> >unsubscribe send a blank email to >> >[EMAIL PROTECTED] >> > >> >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >> >http://www.mxdu.com/ + 24-25 February, 2004 >> > >> > >> > >> >--- >> >You are currently subscribed to cfaussie as: >> >[EMAIL PROTECTED] To unsubscribe send a blank email to >> >[EMAIL PROTECTED] >> > >> >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >> >http://www.mxdu.com/ + 24-25 February, 2004 >> >> >> --- >> You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To >> unsubscribe send a blank email to >[EMAIL PROTECTED] >> >> MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >> http://www.mxdu.com/ + 24-25 February, 2004 >> > > >--- >You are currently subscribed to cfaussie as: >[EMAIL PROTECTED] To unsubscribe send a blank email to >[EMAIL PROTECTED] > >MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia >http://www.mxdu.com/ + 24-25 February, 2004 --- You are currently subscribed to cfaussie as: [EMAIL PROTECTED] To unsubscribe send a blank email to [EMAIL PROTECTED] MXDU2004 + Macromedia DevCon AsiaPac + Sydney, Australia http://www.mxdu.com/ + 24-25 February, 2004
