tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: HTTPS to HTTP
Date Thu, 09 Jan 2003 17:58:38 GMT


On Thu, 9 Jan 2003, John Holman wrote:

> Date: Thu, 09 Jan 2003 12:58:19 +0000
> From: John Holman <j.g.holman@qmul.ac.uk>
> Reply-To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Subject: Re: HTTPS to HTTP
>
>
>
> Ralph Einfeldt wrote:
>
> >I don't think that performance is a reason to keep
> >the session after a switch because in the most
> >applications the amount of protocol switches is
> >quite small when compared to the total number of
> >requests within one protocol.
> >
> Just thinking that the overhead of encrypting data when https is used
> might be a cost that sites with a lot of traffic might prefer to avoid
> by using http for all but the authentication exchange.
>

The problem with your theory is that its a waste of time to bother doing
the encrypted authentication at all -- it adds zero to the security of the
overall transaction.  In fact, it's worse than that, because it gives you
a *false* sense of security.  :-).

If you're going to support HTTPS->HTTP anyway, you might as well just do
the whole appolication non-SSL.

> John.

Craig



--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message