Re: http+aes

On Tue, 06 Mar 2012 07:55:07 +0100, Willy Tarreau <> wrote:
> So you mean that it's the *real* decryption key which is passed in  
> userinfo? It appeared obvious to me that it was just an identifier for a  
> key that the client had fetched somewhere else (eg: on the same site via  
> https or at least without passing via the CDN). If the real key is  
> passed in the response, then I fail to get the use case since your CDN  
> gets the key as well :-/

How? A resource on server S links to a resource on CDN C using http+aes.  
C's resource is encrypted. C does not know the key. The key is hosted on  
S's resource as part of the http+aes link. When the user agent fetches C's  
resource it does not include the key, but decrypts it as data comes in. So  
C never knows anything about the bits it is hosting, S and the user agent  

Anne van Kesteren

Received on Tuesday, 6 March 2012 08:26:47 UTC