Hi all, I've just been told that using HTTPS may not be secure enough for a business to business integration system I'm building.
I went looking for more details and I found that a man-in-the-middle attack is possible. My reading of the situation is that if a client asks for a service on port 80, the server responds with a 302 redirect to port 443 and then the communication begins encrypted. The vulnerability is a potential snooper on the line may see the port 80 request and instead return a different request to the client and then be able to sniff the traffic. Could this be prevented by just getting the client to go straight to port 443? At some point, I have to provide a url for the other organisation to use and I could say its https://mysecuresite.com/blah. A call to port 80 would return forbidden or something similar. Would that work? Thanks Rakesh -- You received this message because you are subscribed to the Google Groups "Java Posse" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/javaposse?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
