httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <Owen.Bo...@swx.com>
Subject RE: [users@httpd] Can you do this?
Date Wed, 19 Mar 2003 09:58:05 GMT
>-----Original Message-----
>From: Michael Hyman [mailto:mhyman@yahoo.com]
>
>Can you mix http and https in a single, non-framed document?
>
>I am thinking of serving images from an http server but still 
>have the SSL protection for the rest of an order page.

In addition to the other responses regarding browser warnings about
mixing secure and unsecure items, there is another consideration which
you should think about if you are serious about SSL:

SSL encrypts the data packets between the client and the server.
However, given enough time and computer power, it is possible for a
snooper to crack the packets. This is a brute-force attack and all forms
of encryption are ultimately vulnerable to it. In SSL, especially if you
use a large keysize, the time taken to crack is so long (maybe many
years) that you can be confident your communication is secure. However,
you make the attacker's job easier if you specifically tell him what
packets contain the really important data! This you do if you mix secure
and unsecure. 

If everything is under SSL then the attacker has to crack the whole data
stream since he can't tell what's in the packets. So he wastes most of
his time decoding unimportant GIFs. If you send the GIFs en clair, then
he can disregard them and focus on the little nuggets of encrypted data
which he is sure will contain the credit card numbers...

Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>
>Thanks...Michael
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message