On Fri, 10 Jan 2003, Joel Rees wrote:
> Date: Fri, 10 Jan 2003 11:22:42 +0900 > From: Joel Rees <[EMAIL PROTECTED]> > Reply-To: Tomcat Users List <[EMAIL PROTECTED]> > To: Tomcat Users List <[EMAIL PROTECTED]> > Subject: Re: HTTPS to HTTP > > > > > I don't think that performance is a reason to keep > > > > the session after a switch because in the most > > > > applications the amount of protocol switches is > > > > quite small when compared to the total number of > > > > requests within one protocol. > > > > > > A possibly stupid question -- is it possible to send graphics raw and > > > text encrypted? > > > > > > > Sure ... make your <img src="..."> URLs in the encrypted pages point at > > absolute "http:" (not "https:") URLs of where the images are. > > I'm thinking that shipping images raw and text under https might help > those who are concerned about performance. Would this open other holes > besides the booby-trap I mentioned below? Would shipping the images http > open the entire transaction to snooping? Presumably the sessions would *not* be part of the same session (assuming you haven't modified your Tomcat to allow HTTPS->HTTP transitions on the same session), so you wouldn't be exposing the secure sessionid. > > > > (This could leave a trap for obscurationists who send confirmation codes > > > as images, of course.) > > > > If you're going to switch from https->http, you are totally wasting your > > time messing with https in the first place. It buys you nothing except a > > *perception* that you are more secure -- that is not the reality. > > Am I way out in left field with this idea? > Well, it certainly reduces the performance overhead, but how many extra $$$ does it really cost to buy enough CPU power (or specialized SSL hardware, for very high volume sites) to deal with SSL? Come on guys, we're in a world where gigahertz processors are cheap! If you care about security, buy enough CPU power to run your app secure (once you switch -- a typical ecommerce site can still let the user browse the catalog on regular http and only switch to https during checkout). If you don't care enough about security to do this, don't bother with it at all -- it's just a waste of time. > -- > Joel Rees <[EMAIL PROTECTED]> Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
