tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konstantin Kolinko" <knst.koli...@gmail.com>
Subject Re: How to use https together with http
Date Fri, 01 Feb 2008 14:25:28 GMT
You cannot and must not show that your page is secure, because it is not.

The problem is that your page is vulnerable to a man-in-the-middle
attack: there is no guarantee that the text of your web page or of the
javascript files that it is using was not altered by someone while it
was transmitted from the server to your client.

E.g. someone may implement a script that submits the copy of sensitive
data to some other server, before submitting it through https to your
server.

The only way to claim that your page is secure is to serve it through https.



2008/2/1, Dave <javaone9@yahoo.com>:
>   if a form may contain personal data, it should be summitted using https. Also we need
to let user know it is secure by showing a lock and https://.... in browser address bar.
>
>   sometimes The IE browser shows a warning: the page contains both secure and nonsecure
data.  what is the meaning? how to avoid the warning?
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message