Re: draft-ietf-tls-http-upgrade reissued
Julien Pierre (jpierre@netscape.com)
Thu, 04 May 2000 18:35:14 -0700
This is a cryptographically signed message in MIME format.
--------------ms364BA619498B31E2E1C978FC
Content-Type: multipart/mixed;
boundary="------------4ABBBECD77D4CEF4C77635BF"
This is a multi-part message in MIME format.
--------------4ABBBECD77D4CEF4C77635BF
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
Scott Lawrence wrote:
> > From: Julien Pierre
>
> > I don't think users will waste their time filling forms
> > if they are not ahead of
> > time certain that it will be transmitted securely.
>
> If they are that concerned about it, then they should not fill out
> forms that were not delivered securely. If the form was delivered
> over an unsecured connection, it may have been modified in any
> number of ways to subvert the apparent intent of the form. Browsers
> don't normally expose the ACTION attribute of a form - an attacker
> may have changed that, or modified field names - the possibilities
> are endless. Encrypting one exchange in a multiple exchange
> transaction is no security at all.
OK, assume the form was delivered on a secure server. Then it gets
submitted to somebody else - a virtual host on a payment processing
server - to actually process the transaction. This is very common. The
action URL will use regular http .
How does the security upgrade get triggered ?
One more thing to consider :
Let's say you are browsing a site and the connection got upgraded to TLS
. Then you sit idle for a while, and your keep-alive connection times
out. You are on a different part of the site now, filled with normal
http:// links. You click on one. The client has to reconnect. How does
the security get restored ?
>
> > The duplicate TCP port number issue is IMHO less of a
> > problem because it is rare
> > to exhaust all 2**16 possible TCP ports on a server.
>
> The concern is with the well-known ports - a much much smaller
> space.
>
> --
> Scott Lawrence Director of R & D <lawrence@agranat.com>
> Agranat Systems Embedded Web Technology http://www.agranat.com/
--
for a good time, try kill -9 -1
--------------4ABBBECD77D4CEF4C77635BF
Content-Type: text/x-vcard; charset=us-ascii;
name="jpierre.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Julien Pierre
Content-Disposition: attachment;
filename="jpierre.vcf"
begin:vcard
n:Pierre;Julien
tel;work:408 276 3664
x-mozilla-html:FALSE
url:http://www.iplanet.com
org:iPlanet E-commerce Solutions, a Sun-Netscape Alliance;Web Server
adr:;;;Santa Clara;California;95054;USA
version:2.1
email;internet:jpierre@netscape.com
title:Software Developer
x-mozilla-cpt:;31920
fn:Julien Pierre
end:vcard
--------------4ABBBECD77D4CEF4C77635BF--
--------------ms364BA619498B31E2E1C978FC
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIIiQYJKoZIhvcNAQcCoIIIejCCCHYCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BlwwggMPMIICeKADAgECAgIY9zANBgkqhkiG9w0BAQQFADCBkzELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRswGQYDVQQKExJBbWVyaWNhIE9u
bGluZSBJbmMxGTAXBgNVBAsTEEFPTCBUZWNobm9sb2dpZXMxJzAlBgNVBAMTHkludHJhbmV0
IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0wMDAzMDkyMzA0NTNaFw0wMDA5MDUyMzA0NTNa
MIGFMRMwEQYKCZImiZPyLGQBGRYDY29tMRgwFgYKCZImiZPyLGQBGRYIbmV0c2NhcGUxIzAh
BgkqhkiG9w0BCQEWFGpwaWVycmVAbmV0c2NhcGUuY29tMRYwFAYDVQQDEw1KdWxpZW4gUGll
cnJlMRcwFQYKCZImiZPyLGQBARMHanBpZXJyZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3QSGxo7n60AUq9zfp96BwOzboYbjYXBhxILxpbkJBSh6wlLqQvjlyO3EZ2+KwDZvgBuh
5Z6uy95ZTfT32bIrr0p97eNXLKGFEN87KQhR7kltc8CSelu0ZP3MsfqBYMnEJBH2myrWpySd
vflZR0cOz4jaudtp4/Stfx99rLL5YUcCAwEAAaN+MHwwEQYJYIZIAYb4QgEBBAQDAgWgMA4G
A1UdDwEB/wQEAwIEsDAfBgNVHSMEGDAWgBSiO2Uy9/cbifxVDQcBvIdIWv2QPTA2BggrBgEF
BQcBAQQqMCgwJgYIKwYBBQUHMAGGGmh0dHA6Ly9uc29jc3AubmV0c2NhcGUuY29tMA0GCSqG
SIb3DQEBBAUAA4GBAEXeJ+7JMiFzcHgDXl359MR39rWnjg8Bm9dWNnUwHeWyfWdWBoplIxQI
gVFRVsUrNuAR9C6SW5FMm8mbsKfZXh08jREidxoH3jgIkq8TrLdGe2WyWdWnPL2oSMDiTLW7
pDTg8IXQpmHPkomGgbxha+Pgn9lL4d17iaZT5Op3pO4rMIIDRTCCAq6gAwIBAgIBJzANBgkq
hkiG9w0BAQQFADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAG
A1UEBxMJQ2FwZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3
dGUuY29tMB4XDTk5MDYwMzIyMDAzNFoXDTAxMDYwMjIyMDAzNFowgZMxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEbMBkGA1UEChMSQW1lcmlj
YSBPbmxpbmUgSW5jMRkwFwYDVQQLExBBT0wgVGVjaG5vbG9naWVzMScwJQYDVQQDEx5JbnRy
YW5ldCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AOLvXyx2Q4lLGl+z5fiqb4svgU1n/71KD2MuxNyF9p4sSSYg/wAX5IiIad79g1fgoxEZEarW
3Lzvs9IVLlTGbny/2bnDRtMJBYTlU1xI7YSFmg47PRYHXPCzeauaEKW8waTReEwG5WRB/AUl
Yybr7wzHblShjM5UV7YfktqyEkuNAgMBAAGjaTBnMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
VR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMBEGCWCGSAGG+EIBAQQEAwIBAjAfBgNVHSME
GDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG9w0BAQQFAAOBgQC6UH38ALL/QbQH
CDkMIfRZSRcIzI7TzwxW8W/oCxppYusGgltprB2EJwY5yQ5+NRPQfsCPnFh8AzEshxDVYjtw
1Q6xZIA0Tln6xlnmRt5OaAh1QPUdjCnWrnetyT1p5ECNRJdGb756wFiksR9qpw8pUYqBDSmO
neQPMwuPjSQ97DGCAfUwggHxAgEBMIGaMIGTMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex
FjAUBgNVBAcTDU1vdW50YWluIFZpZXcxGzAZBgNVBAoTEkFtZXJpY2EgT25saW5lIEluYzEZ
MBcGA1UECxMQQU9MIFRlY2hub2xvZ2llczEnMCUGA1UEAxMeSW50cmFuZXQgQ2VydGlmaWNh
dGUgQXV0aG9yaXR5AgIY9zAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
BwEwHAYJKoZIhvcNAQkFMQ8XDTAwMDUwNTAxMzUxNVowIwYJKoZIhvcNAQkEMRYEFKuZVF0W
5efovZNCYuTs6FXO9sM4MFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3
DQEBAQUABIGASZSSaCCR4I6X0Uo9QJwa+r5vXZhqmvL9T0t/ZCjruABsiugVvDN60DvbuEJT
PtfVdC4HqDkZ9XHFXdgIrLy80MlrsLSRbRBAe0xi+qg8ttaJ7wNjg1G8frapJoR5dWSlaUIS
k5bYC0hF0G8XfLxU7FOHiJgLwx7/WgXFW6WB5Ag=
--------------ms364BA619498B31E2E1C978FC--