Re: Browser Support for TLS/HTTP Upgrade?

[Richard Levitte - VMS Whacker]

From: Eric Rescorla <[EMAIL PROTECTED]>

ekr> Frankly, RFC 2817 has a lot of problems. Although it allows
ekr> automatic negotiation, which is a plus, there's no way to
ekr> specify in the URL that the client should EXPECT to negotiation
ekr> TLS (other than using https:// which would indicate that you
ekr> should do HTTPS, not HTTP Upgrade with a requirement for TLS).
ekr> This is a serious reference integrity problem.

That is a very good point.

ekr> Also, HTTP Upgrade interacts very badly with proxies. Since
ekr> Upgrade is a hop-by-hop header, there's no way to negotiate
ekr> an end-to-end HTTP Upgrade to TLS through a proxy, which is
ekr> a serious problem. By contrast, HTTPS just uses the CONNECT
ekr> method.

Uhmm, what would stop any client to connect to the proxy, say CONNECT
to it, and after getting the 200 back do the HTTP Upgrade through that
channel?

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \      SWEDEN       \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis                -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]