LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] http/https

[ILUG] http/https

Colm MacCarthaigh colm at stdlib.net
Tue Apr 10 10:40:41 IST 2007 

On Tue, Apr 10, 2007 at 10:13:43AM +0100, Colm Buckley wrote:
>        3. Use the HTTP UPGRADE directive to initiate a TLS connection
> >           after supplying the Host header. This does not enjoy wide
> >           support in browsers, but it is support in a variety of
> >           other HTTP clients and is useful when building APIs and
> >           services that use HTTP as a transport layer.
> 
> 
> Better and better.  This is what happens when one moves into manager-land;
> one loses touch with the coalface.  My earlier comments about STARTTLS not
> being available in HTTP are hereby retracted...
> 
> As a matter of interest, are there any standardised URI formats proposed to
> use this?

RFC2817 says to use HTTP for both a plain-old HTTP socket and a TLS
upgraded one. Wether it chooses to upgrade or not is up to the client
and the server and they recommend leaving it to the client to decide how
to tell the user about that. If you use it in mozilla for example (it's
experimental only right now), you get the lock icon to show it's
"secure", even though the url remains http:// , I can see the logic
behind it, since the URL is a reference after all and the client does
need to know to use HTTP for the initial connection, but it does suck
when the urls themselves have become so important a part of the UI.
Maybe this is one of the reasons why browsers are slow to adopt.

Another "feature" of the spec is "optional" encryption, which is that
the requests are in the plain and the responses optionally encrypted.
This is clearly stupid, since usually it's the request that contains
your credit card information. This hasn't helped adoption, but
implementors just arn't implementing that part (which is a good idea).

-- 
Colm MacCárthaigh                        Public Key: colm+pgp at stdlib.net

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell