On Tue, Apr 10, 2007 at 10:13:43AM +0100, Colm Buckley wrote:
> 3. Use the HTTP UPGRADE directive to initiate a TLS connection
> > after supplying the Host header. This does not enjoy wide
> > support in browsers, but it is support in a variety of
> > other HTTP clients and is useful when building APIs and
> > services that use HTTP as a transport layer.
>>> Better and better. This is what happens when one moves into manager-land;
> one loses touch with the coalface. My earlier comments about STARTTLS not
> being available in HTTP are hereby retracted...
>> As a matter of interest, are there any standardised URI formats proposed to
> use this?
RFC2817 says to use HTTP for both a plain-old HTTP socket and a TLS
upgraded one. Wether it chooses to upgrade or not is up to the client
and the server and they recommend leaving it to the client to decide how
to tell the user about that. If you use it in mozilla for example (it's
experimental only right now), you get the lock icon to show it's
"secure", even though the url remains http:// , I can see the logic
behind it, since the URL is a reference after all and the client does
need to know to use HTTP for the initial connection, but it does suck
when the urls themselves have become so important a part of the UI.
Maybe this is one of the reasons why browsers are slow to adopt.
Another "feature" of the spec is "optional" encryption, which is that
the requests are in the plain and the responses optionally encrypted.
This is clearly stupid, since usually it's the request that contains
your credit card information. This hasn't helped adoption, but
implementors just arn't implementing that part (which is a good idea).
Colm MacCárthaigh Public Key: colm+pgp at stdlib.net
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!