> From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] > > * The most common use case for wanting HTTPS->HTTP is to let you > log on with HTTPS "so your password does not go across the > Internet unencrypted", but run the rest of the application on > HTTP. Having to reauthenticate again means they don't get what > they thought they wanted.
My employer has some websites that work like this: Password exchanges are encrypted. Most user interaction is not encrypted. Reauthentication is necessary if you want to edit your credit card information or other personal data. The secure sections of the application are accessed infrequently, so the extra user interaction is not very annoying. > * Reauthentication happens in cleartext again, right? So it's subject > to snooping and forgery just the same as if you had never bothered > with SSL in the first place. Of course not. That would be stupid. > Another way to say what you propose is "run the post-SSL stuff on a > separate session id, so you don't expose the secure session id to attack". > That would be fine, but it basically ignores why the large majority of > people want to do this in the first place. I'll throw another example in, this one related to the projects I work on: My user accounts exist in a "foreign" database; the credentials must be kept secure because they could be used on other websites and with other tools to wreak havoc. However, other than requiring one of these accounts, my specific website does not contain sensitive data and there is no compelling need for SSL. > > It's not rocket science, and people build webapps that do this all the > > time. Just not with Tomcat. > > None of the concerns about HTTPS->HTTP are specific to Tomcat, or even to > Java-based web servers. They are fundamental to the nature of the way > HTTP and HTTPS work. I'm aware of that. The tomcat-specific issue is that it won't let you make the transition from https to http on the same session. That's frustrating. Look, I'm not suggesting that HTTPS->HTTP transitions are for everyone; given how fast and cheap computers are these days, most people are probably better off running their entire applications under SSL even if they aren't worried about security. But there are a number of us out here with high volume sites that *could* benefit from Tomcat allowing the transition. It's not categorically evil. Jeff Schnitzer [EMAIL PROTECTED] The Sims Online -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>