- From: Scott Lawrence <lawrence@agranat.com>
- Date: Thu, 4 May 2000 18:28:00 -0400
- To: Julien Pierre <jpierre@netscape.com>, Rohit Khare <rohit@uci.edu>
- Cc: IETF HTTP List <http-wg@hplb.hpl.hp.com>
> From: Julien Pierre > I don't think users will waste their time filling forms > if they are not ahead of > time certain that it will be transmitted securely. If they are that concerned about it, then they should not fill out forms that were not delivered securely. If the form was delivered over an unsecured connection, it may have been modified in any number of ways to subvert the apparent intent of the form. Browsers don't normally expose the ACTION attribute of a form - an attacker may have changed that, or modified field names - the possibilities are endless. Encrypting one exchange in a multiple exchange transaction is no security at all. > The duplicate TCP port number issue is IMHO less of a > problem because it is rare > to exhaust all 2**16 possible TCP ports on a server. The concern is with the well-known ports - a much much smaller space. -- Scott Lawrence Director of R & D <lawrence@agranat.com> Agranat Systems Embedded Web Technology http://www.agranat.com/
Received on Thursday, 4 May 2000 15:32:24 UTC