[3153] in WWW Security List Archive
Re: SPAMS
daemon@ATHENA.MIT.EDU (Nathan Neulinger)
Mon Oct 7 17:34:00 1996
To: dwm@xpasc.com (David W. Morris)
Date: Mon, 7 Oct 1996 13:52:26 -0500 (CDT)
From: "Nathan Neulinger" <nneul@umr.edu>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.961007092741.3358B-100000@shell1.aimnet.com> from "David W. Morris" at Oct 7, 96 09:39:45 am
Errors-To: owner-www-security@ns2.rutgers.edu
> > vendors, and that an SSL based web site is what everyone "should" be
> > running. Bloomingdale's might want to
>
> Should is a bit strong considering the performance impact on the server and
> user. For starters, the vast majority of web sites have nothing worth
> that much protection. Even for credit card transfer, I am much more
> concerned with what happens to the credit card after the transfer than
> during the transfer. One well known ISP apparently had 20K credit cards
> available online for the convenience of a crafty cracker. Would you trust
> a site that lies about the encryption of its transactions to store your
> credit card safely? Not I.
Actually, for OUR local use, SSL is becoming useful not because of the
envcryption of the form data, but for the encryption of authentication
information in the requests.
We do a LOT of web based administrative functions, and unfortunately this
means that passwords are constantly getting sent over the network. I'd
personally much rather NOT use SSL, since it screws up the URLs and
no-one can remember to put https instead of http, but it does solve the
problem.
Speaking of the URL screw up problem, is anyone aware of any way that a
SSL web server could be made to answer non-SSL requests on the same port
with a redirect to the correct URL?
i.e. I want to change a server on port 800 to run SSL. I would really
like it if the server had some way of checking what protocol the incoming
request was. If i came in via regular http: "http://server.edu", the SSL
server would ONLY issue a redirect to "https://server.edu", in this way,
people can continue to reference things as "http://whatever", but it
would automatically redirect browser to the https method.
I was thinking I could probably do this with a front end, but it would be
SLOW.
-- Nathan
------------------------------------------------------------
Nathan Neulinger Univ. of Missouri - Rolla
EMail: nneul@umr.edu Computer Center
WWW: http://www.umr.edu/~nneul SysAdmin: rollanet.org
