httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd]
Date Wed, 11 Nov 2009 03:34:24 GMT
On Tue, Nov 10, 2009 at 6:37 PM, Eric Covener <covener@gmail.com> wrote:
> On Tue, Nov 10, 2009 at 6:20 PM, Stephen Love <stephenlove@juno.com> wrote:
>> So what you are telling me is that there IS no REAL 2-way handshaking going
>> on. Then we've lost ALL hope of security.
>>
>
> What's "REAL" in this context?  It's not authenticated and doesn't
> result in some session establishment unless you configure your
> application to require/manage such a thing?
>
> --
> Eric Covener
> covener@gmail.com
[clip]

Yes, why don't you tell us exactly what you want to do, what's your
end goal? Visitor stats? Geographic locating? Authentication of a
real-world identity? There's a lot of very bright and very
knowledgeable people on this list, so if there's any way at all to do
what you want, then there is a very good chance that somebody here
will be able to tell you. It just might not be done the way you think
it should be.

As many of us have said, TCP is an end to end protocol. And in fact,
it is stateful, so you can send messages back and forth between the
two end points for as long as the connection is open. There is a
handshake that goes on between the two end points to setup this
connection, but this is not any sort of real authentication process
that confirms the identity of either end. What TCP gets you is pretty
good confidence that you are talking to the same person you were when
you started the conversation, but even that confidence is really only
upheld in the absence of active attacks like IP spoofing, and it
provides absolutely no confidence that there aren't other people
listening to the conversation, and potentially even participating in
the conversation.

If you're looking for security: like making sure no one else is
listening to the conversation, no one else is modifying the
conversation data, and or making sure that the person on the other end
is who they claim to be...then you're going to need a much more
sophisticated protocol than TCP, IP, or HTTP. SSL/TLS provides all
these things, with the latest TLS version believed to be quite secure
with current technologies and techniques. HTTPS layers HTTP over a
secure SSL or TLS connection, and is available in Apache with mod_ssl.

Your comment that "we've lost ALL hope of security" is quite accurate
with regards to HTTP, TCP, and IP alone. These protocols were really
not designed with any attention to security as security wasn't really
an acknowledged concern at the time they were created. Thus we have
add on protocols like SSL and TLS.

Anyway, back to my point: tell us what you're actually trying to do
and there's a good chance someone can help you, as long as you're
willing to let go of any preconceived notions on how to get the job
done (that's always the biggest stumbling block to learning something
new).

Cheers,
-Brian

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message