>On Fri, 5 Jul 2002, Jerome Houston wrote:
>> if the browser is making a request, and it sees an https:// at the beginning 
>> of the request URL, it will :
>> 1.  get the domain's public key from a public key server
>> 2.  encrypt the whole request with the domain's public key
>> 3.  submit it to the web server.
>We have public key servers?

I know (think?) you're joking, but for any other readers... :-)

A "public key server" should not be confused with the public key on an SSL
(HTTPS) web-server.

A "public key server" lets any yahoo on the planet upload the "public" half
of the key-pair which is supposed to uniquely identify themselves.  Alas,
all too many people don't even understand how important it is to keep the
PRIVATE half of their key private, so public key servers aren't all that

The SSL Certificate you paid $200 (or more) for has a public half in it,
which, in the course of the browser/server conversation about how to get the
stuff transmitted securely, is exchanged with the browser.

That does not mean your web-server is a public key server, of course.

The SSL Certificate also has a private half.  People you do not trust should
*NOT* ever be allowed access to that.

>Sort of. The server's key is used to encrypt the exchange of a new key
>which lasts only for the lifetime of the transaction. This ephemeral key
>is what's used to encrypt the actual data. But this nuance is probably not
>very important to understanding the practical issues of working with PHP 
>and HTTPs.

To be honest, none of this stuff is all that useful for the practical issues

You use URLs that start with HTTPS when you want stuff to be secure.

Everything that gets sent "to" an HTTPS from the browser is encrypted, and
everything the browser sends back from the HTTPS is encrypted.

You can safely ignore all the details of exactly how the HTTPS stuff is done
internally, unless you need to install/build your own SSL server.

>> Now, one of the things that many people are confused about is that they
>> think there must be a lock icon at the bottom of the browser when they
>> are entering sensitive info (like credit card numbers).  Nope.  The only
>> important thing is that the form which takes the sensitive data SUBMITS
>> to an https:// URL.  Because (as above) it will encrypt the request
>> (which includes the sensitive data) BEFORE it submits it over the
>> internet.  But most people don't know how to check that a form submits
>> to an to an https:// URL.
>Yup. You'd think that the browser developers would come up with a way to 
>indicate this (mouse pointer turning to a lock when hovering over a submit 
>button, etc.).

No, they're too busy adding more useless features and releasing incredibly
unstable code with little or no QA :-)

Like Music?  http://l-i-e.com/artists.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to