On Thu, 9 Jan 2003, John Holman wrote:
> Date: Thu, 09 Jan 2003 12:58:19 +0000 > From: John Holman <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: HTTPS to HTTP > > > > Ralph Einfeldt wrote: > > >I don't think that performance is a reason to keep > >the session after a switch because in the most > >applications the amount of protocol switches is > >quite small when compared to the total number of > >requests within one protocol. > > > Just thinking that the overhead of encrypting data when https is used > might be a cost that sites with a lot of traffic might prefer to avoid > by using http for all but the authentication exchange. > The problem with your theory is that its a waste of time to bother doing the encrypted authentication at all -- it adds zero to the security of the overall transaction. In fact, it's worse than that, because it gives you a *false* sense of security. :-). If you're going to support HTTPS->HTTP anyway, you might as well just do the whole appolication non-SSL. > John. Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
