- From: David P. Kemp <dpkemp@missi.ncsc.mil>
- Date: Wed, 5 Feb 1997 13:08:09 -0500
- To: ietf-tls@w3.org
> From: Tom Weinstein <tomw@netscape.com> > > I also object to trying to do SSL and non-SSL on the same port for > security reasons. It adds another level of complexity to making sure > you don't get rolled back to an insecure state. Will Netscape's browser process URLs of the forms https://foo.com:80 (resulting in an SSL connection on port 80) and http://foo.com:443 (resulting in an HTTP connection on port 443), and can Netscape's servers be configured to do an SSL listen on 80 and an HTTP listen on 443? I believe the answers are all "yes". Thus the port numbers have nothing to do with security, they are just a convention that facilitates interoperability without having to look at the bitstream to guess which protocol is being used. If you configure a server/browser to only do SSL with only the SSL versions and ciphersuites that meet your security requirements, then you can't be rolled back into "an insecure state" (i.e. a connection using a protocol or ciphersuite that does not satisfy your security policy). Port numbers have nothing to do with it.
Received on Wednesday, 5 February 1997 13:09:00 UTC