tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joel Rees <j...@alpsgiken.gr.jp>
Subject Re: HTTPS to HTTP
Date Fri, 10 Jan 2003 02:22:42 GMT
> > > I don't think that performance is a reason to keep
> > > the session after a switch because in the most
> > > applications the amount of protocol switches is
> > > quite small when compared to the total number of
> > > requests within one protocol.
> >
> > A possibly stupid question -- is it possible to send graphics raw and
> > text encrypted?
> >
> 
> Sure ... make your <img src="..."> URLs in the encrypted pages point at
> absolute "http:" (not "https:") URLs of where the images are.

I'm thinking that shipping images raw and text under https might help
those who are concerned about performance. Would this open other holes
besides the booby-trap I mentioned below? Would shipping the images http
open the entire transaction to snooping?

> > (This could leave a trap for obscurationists who send confirmation codes
> > as images, of course.)
> 
> If you're going to switch from https->http, you are totally wasting your
> time messing with https in the first place.  It buys you nothing except a
> *perception* that you are more secure -- that is not the reality.

Am I way out in left field with this idea?

-- 
Joel Rees <joel@alpsgiken.gr.jp>


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message