W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 2000

RE: draft-ietf-tls-http-upgrade reissued

From: Scott Lawrence <lawrence@agranat.com>
Date: Thu, 4 May 2000 18:28:00 -0400
To: "Julien Pierre" <jpierre@netscape.com>, "Rohit Khare" <rohit@uci.edu>
Cc: "IETF HTTP List" <http-wg@hplb.hpl.hp.com>
Message-ID: <000e01bfb618$010c0ae0$954768c0@oyster.agranat.com>
> From: Julien Pierre

> I don't think users will waste their time filling forms
> if they are not ahead of
> time certain that it will be transmitted securely.

If they are that concerned about it, then they should not fill out
forms that were not delivered securely.  If the form was delivered
over an unsecured connection, it may have been modified in any
number of ways to subvert the apparent intent of the form.  Browsers
don't normally expose the ACTION attribute of a form - an attacker
may have changed that, or modified field names - the possibilities
are endless.  Encrypting one exchange in a multiple exchange
transaction is no security at all.

> The duplicate TCP port number issue is IMHO less of a
> problem because it is rare
> to exhaust all 2**16 possible TCP ports on a server.

The concern is with the well-known ports - a much much smaller
space.

--
Scott Lawrence      Director of R & D        <lawrence@agranat.com>
Agranat Systems   Embedded Web Technology   http://www.agranat.com/
Received on Thursday, 4 May 2000 23:31:50 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:37 EDT