From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Yes, that is clearly a risk. The *whole* web application needs have no
risks in order to allow http access to any of it - any sensitive link
My understanding (at the moment) is that there are two scenarios where
sesssion id reuse might be safe:
a) (the scenario I suggested) the *only* secure page requiring https is
the login page. Accessing that using the sniffed session id will only
let the bad guy login - which gains him nothing.
:02 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In this scenario, the *only* page requiring SSL would be
the login page that collects the username and password.
(That could be either a dedicated application login page
or the login page configured for form-based login. Basic
Message-
From: John Holman [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:02 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In this scenario, the *only* page requiring SSL would be
the login page that collects the username and password.
(That could be either a dedicated
Is there an FTP connector for Tomcat? If so, I would be very interested in
it.
Thanks,
John
-Original Message-
From: Shah, Sanjay [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 1:03 PM
To: 'Tomcat Users List'
Cc: 'Craig R. McClanahan'
Subject: RE: HTTPS to HTTP
Hello
Hi Bill,
Honestly, as a user, I don't feel competent enough with the Tomcat
internal architecture to write a patch.
However, to me, this is a vital thing missing from the tomcat 4.1.x
branch. Quite a few of the sites that I work on require that a session
created under https be accessible under
Raiden,
If you really want to maintain the session between HTTPs and HTTP you
can do it by writing the link to the insecure page
with the session id like this: (using JSP)
From the insecure page:
form method=post
action=http://(youraddress/insecurepage)%=session.getId()%
input type=submit
Ralph Einfeldt wrote:
Anybody who can listen to your traffic, can hijack
a session. He just has to create a request with the
same sessionid (either as cookie or in the url).
So after you go back from https to http you open
the session to an attacker.
The risks that are involved with that,
.
Thanks for the comments
regards,
Dave
- Original Message -
From: John Holman [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Thursday, January 09, 2003 9:44 PM
Subject: Re: HTTPS to HTTP
Ralph Einfeldt wrote:
Anybody who can listen to your traffic, can hijack
PROTECTED]]
Sent: Thursday, January 09, 2003 11:44 AM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
In that case the session may as well be conducted
in http (e.g. for performance reasons).
--
To unsubscribe, e-mail: mailto:[EMAIL PROTECTED]
For additional commands, e-mail: mailto:[EMAIL
the sysadmins session ...)
-Original Message-
From: David Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 12:08 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
Thats is my exact situation. The sysadmin section of teh site
is 100% https.
but the on the user side
authentification to form
authentifcation and the sysadmin visits the user side
and somebody steals the sysadmins session ...)
-Original Message-
From: David Hemingway [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 09, 2003 12:08 PM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
On Thu, 9 Jan 2003, John Holman wrote:
Date: Thu, 09 Jan 2003 12:56:16 +
From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Yes, that is clearly a risk. The *whole* web application needs
On Thu, 9 Jan 2003, John Holman wrote:
Date: Thu, 09 Jan 2003 12:58:19 +
From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Ralph Einfeldt wrote:
I don't think that performance
Hello Craig:
I was reading one of your post in tomcat user archive regarding
implementation of FTP protocol under Catalina.
One of my requirement is exactly the same.
In my case the FTP security and processing needs to be managed on a per
customer basis, however this tends to be closely
On Thu, 9 Jan 2003, Shah, Sanjay wrote:
Date: Thu, 9 Jan 2003 13:02:32 -0500
From: Shah, Sanjay [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Cc: 'Craig R. McClanahan' [EMAIL PROTECTED]
Subject: RE: HTTPS to HTTP
Hello Craig:
I was reading one of your post in tomcat user
Holman wrote:
Date: Thu, 09 Jan 2003 12:56:16 +
From: John Holman [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
Yes, that is clearly a risk. The *whole* web application needs have no
risks in order
On Thu, 9 Jan 2003, Shrotriya, Sumit wrote:
Date: Thu, 9 Jan 2003 12:45:20 -0600
From: Shrotriya, Sumit [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: 'Tomcat Users List' [EMAIL PROTECTED]
Subject: RE: HTTPS to HTTP
Craig,
I agree with you 100% but there can
Thats is my exact situation. The sysadmin section of teh site is 100% https.
but the on the user side there is nothing that sensitive and little harm
they could be cause stealing someones session. It would not be worth going
to the trouble of stealing the session for the benefit you would get.
I don't think that performance is a reason to keep
the session after a switch because in the most
applications the amount of protocol switches is
quite small when compared to the total number of
requests within one protocol.
A possibly stupid question -- is it possible to send graphics
I agree with you 100% but there can be a simple solution to the problem
that you just raised..and that is that a new session id is created and
mapped in some table when moving from https--http this way user B can not
get access to the admin page.
Two things you'd have to be really careful
On Fri, 10 Jan 2003, Joel Rees wrote:
Date: Fri, 10 Jan 2003 10:56:37 +0900
From: Joel Rees [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
I don't think that performance is a reason to keep
the session
I don't think that performance is a reason to keep
the session after a switch because in the most
applications the amount of protocol switches is
quite small when compared to the total number of
requests within one protocol.
A possibly stupid question -- is it possible to send
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
If you're going to switch from https-http, you are totally wasting
your
time messing with https in the first place. It buys you nothing
except a
*perception* that you are more secure -- that is not the reality.
You keep repeating this
On Fri, 10 Jan 2003, Joel Rees wrote:
Date: Fri, 10 Jan 2003 11:22:42 +0900
From: Joel Rees [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: Re: HTTPS to HTTP
I don't think that performance is a reason to keep
On Thu, 9 Jan 2003, Schnitzer, Jeff wrote:
Date: Thu, 9 Jan 2003 18:39:34 -0800
From: Schnitzer, Jeff [EMAIL PROTECTED]
Reply-To: Tomcat Users List [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Subject: RE: HTTPS to HTTP
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED
From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]]
* The most common use case for wanting HTTPS-HTTP is to let you
log on with HTTPS so your password does not go across the
Internet unencrypted, but run the rest of the application on
HTTP. Having to reauthenticate again means they
It is my understanding that if Tomcat allowed you use the same session and
the session was created under https for a particular user, then once it
gets to http the session id is now in clear text. This is what, I believe,
Craig is talking about when he says that using SSL in this manner only
Jacob Kjome wrote:
It is my understanding that if Tomcat allowed you use the same session
and the session was created under https for a particular user, then once
it gets to http the session id is now in clear text. This is what, I
believe, Craig is talking about when he says that using SSL
performance)
-Original Message-
From: Joel Rees [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 2:57 AM
To: Tomcat Users List
Subject: Re: HTTPS to HTTP
A possibly stupid question -- is it possible to send graphics raw and
text encrypted?
--
To unsubscribe, e-mail
Anybody who can listen to your traffic, can hijack
a session. He just has to create a request with the
same sessionid (either as cookie or in the url).
So after you go back from https to http you open
the session to an attacker.
The risks that are involved with that, depends on the
Any particular reason you're using a proxy instead of Tomcats built in
HTTPS support? (it came with 3.2 so you need to get that version if
you're not already using it).
Regards, Stefan.
-Original Message-
From: Geoff Lane [mailto:[EMAIL PROTECTED]]
Sent: 29. janar 2001 23:31
To: [EMAIL
Because it allows us to have multiple machines serving one URL without
having multiple SSL certificates. It also offloads SSL encryption to
dedicated hardware. Those are the main reasons.
Stefn F. Stefnsson wrote:
Any particular reason you're using a proxy instead of Tomcats built in
HTTPS
33 matches
Mail list logo