tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Brown" <da...@davidwbrown.name>
Subject Re: How to use https together with http
Date Fri, 01 Feb 2008 14:55:05 GMT
Yep, Konstantin is right. This is what I do with all of my public pages that I want secured.
This means I https ALL pages without exception if I want it to be secure. The net is nasty.
You may have performance issues but once your public server is breached you will have more
issues. As I said before: JSF is slow. There are benchmarks using JMeter comparing like JSF
and JSP pages. Read Peter Lin's work on performance. HTH.

Konstantin Kolinko wrote ..
> You cannot and must not show that your page is secure, because it is not.
> 
> The problem is that your page is vulnerable to a man-in-the-middle
> attack: there is no guarantee that the text of your web page or of the
> javascript files that it is using was not altered by someone while it
> was transmitted from the server to your client.
> 
> E.g. someone may implement a script that submits the copy of sensitive
> data to some other server, before submitting it through https to your
> server.
> 
> The only way to claim that your page is secure is to serve it through https.
> 
> 
> 
> 2008/2/1, Dave <javaone9@yahoo.com>:
> >   if a form may contain personal data, it should be summitted using https. Also
> we need to let user know it is secure by showing a lock and https://.... in browser
> address bar.
> >
> >   sometimes The IE browser shows a warning: the page contains both secure and
> nonsecure data.  what is the meaning? how to avoid the warning?
> >
> >
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message