> On Thu, 12 Jul 2001, Issac Goldstand wrote:
>
> >
> > > >>>>> "IG" == Issac Goldstand <[EMAIL PROTECTED]> writes:
> > >
> > > IG> Not necessarily. I could easily set up any virtualhost on port
> > > IG> 443 which will be accessable by https://nasty.servername/ but
> > > IG> will, in reality, not necessarily be over a secure connection.
> > >
> > > I think you've never actually tried this. You will not get the page
> > > because the client is expecting SSL and you're not providing it. Try
> > > it. Go ahead, try it.
> > >
> >
> > I did. Look at my follow-up to Geoffrey's esponse to the post you're
> > quoting for details... It worked from most simple clients...
>
> your "most simple clients" example did the same as accessing
> <http://nasty.servername:443/>.
>
> That's about as different from https:// as if you had shown that
> stuff on port 443 can be other stuff than HTTP over SSL by
> installing an ftp server on that port.
>
> > Some clients, like Netscape and MSIE think that they're smarter
> > than the servers, though, and incorrectly "assume" they know
> > whether to go secure or not.
>
> They don't assume, you tell them what transport method to use by
> using https// or http://.
OK. Let me see if I can explain myself a bit better. You're all correct
that by entering an https:// scheme the _intention_ is to advise the browser
to use a secure layer - which most common browsers do. My point is not that
this is not what should happen, but rather that in many situations the
programmer cannot know in advance what kind of weird server setups may be in
use, and cannot know what kind of client will be accessing them. The fact
that my "simple browsers" just did "telnet server 443" is EXACTLY the point
I'm trying to make. In order to ensure that an SSL layer is actually
active, checking the port OR scheme is not enough. You must actually
"query" for the presense of the layer itself, which mod_ssl conveniently
provides a means to do by giving us $ENV{HTTPS}.
Issac
PGP Key 0xE0FA561B - Fingerprint:
7E18 C018 D623 A57B 7F37 D902 8C84 7675 E0FA 561B
