W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1999

Re: Upgrading to TLS Within HTTP/1.1 draft available

From: Jim Gettys <jg@pa.dec.com>
Date: Tue, 29 Jun 1999 10:04:44 -0700
Message-Id: <9906291704.AA10519@pachyderm.pa.dec.com>
To: John Stracke <francis@ecal.com>
Cc: "Http-Wg@Hplb. Hpl. Hp. Com" <http-wg@hplb.hpl.hp.com>

> Sender: francis@ariel.local.thibault.org
> From: John Stracke <francis@ecal.com>
> Resent-From: http-wg@hplb.hpl.hp.com
> Date: Tue, 29 Jun 1999 16:47:55 +0000
> To: "Http-Wg@Hplb. Hpl. Hp. Com" <http-wg@hplb.hpl.hp.com>
> Subject: Re: Upgrading to TLS Within HTTP/1.1 draft available
> -----
> Scott Lawrence wrote:
> 
> > Part of the goal here is to show how secured and unsecured traffic in any
> > protocol can share a TCP well known port, so that we can get away from
> > assigning two ports to each protocol.
> 
> But aren't there security benefits to having separate ports (e.g., making it
> possible to run your secure server in a separate process)?
> 
>

No: the problem is that establishing a connection to a separate port
allows for man-in-the-middle attacks at connection establishment times;
you are just making attacks easier using different port numbers.

The new IESG/IANA policy is therefore to no longer allocate independent 
port numbers for secure connections.  This is the stronger motivation
than conserving port numbers.
				- Jim Gettys
Received on Tuesday, 29 June 1999 18:06:04 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:31 EDT