- From: Jim Gettys <jg@pa.dec.com>
- Date: Tue, 29 Jun 1999 10:04:44 -0700
- To: John Stracke <francis@ecal.com>
- Cc: "Http-Wg@Hplb. Hpl. Hp. Com" <http-wg@hplb.hpl.hp.com>
> Sender: francis@ariel.local.thibault.org > From: John Stracke <francis@ecal.com> > Resent-From: http-wg@hplb.hpl.hp.com > Date: Tue, 29 Jun 1999 16:47:55 +0000 > To: "Http-Wg@Hplb. Hpl. Hp. Com" <http-wg@hplb.hpl.hp.com> > Subject: Re: Upgrading to TLS Within HTTP/1.1 draft available > ----- > Scott Lawrence wrote: > > > Part of the goal here is to show how secured and unsecured traffic in any > > protocol can share a TCP well known port, so that we can get away from > > assigning two ports to each protocol. > > But aren't there security benefits to having separate ports (e.g., making it > possible to run your secure server in a separate process)? > > No: the problem is that establishing a connection to a separate port allows for man-in-the-middle attacks at connection establishment times; you are just making attacks easier using different port numbers. The new IESG/IANA policy is therefore to no longer allocate independent port numbers for secure connections. This is the stronger motivation than conserving port numbers. - Jim Gettys
Received on Tuesday, 29 June 1999 10:08:50 UTC