tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: HTTPS to HTTP
Date Thu, 09 Jan 2003 17:58:38 GMT

On Thu, 9 Jan 2003, John Holman wrote:

> Date: Thu, 09 Jan 2003 12:58:19 +0000
> From: John Holman <>
> Reply-To: Tomcat Users List <>
> To: Tomcat Users List <>
> Subject: Re: HTTPS to HTTP
> Ralph Einfeldt wrote:
> >I don't think that performance is a reason to keep
> >the session after a switch because in the most
> >applications the amount of protocol switches is
> >quite small when compared to the total number of
> >requests within one protocol.
> >
> Just thinking that the overhead of encrypting data when https is used
> might be a cost that sites with a lot of traffic might prefer to avoid
> by using http for all but the authentication exchange.

The problem with your theory is that its a waste of time to bother doing
the encrypted authentication at all -- it adds zero to the security of the
overall transaction.  In fact, it's worse than that, because it gives you
a *false* sense of security.  :-).

If you're going to support HTTPS->HTTP anyway, you might as well just do
the whole appolication non-SSL.

> John.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message