Re: Browser Support for TLS/HTTP Upgrade?

Wed, 20 Dec 2000 14:46:29 -0800 

Michael Sweet <[EMAIL PROTECTED]> writes:

> Richard Levitte - VMS Whacker wrote:
> > ...
> > I think Eric's point is one of user request and feedback.  How
> > does a user easily request a secure channel?  As it is right now,
> > "https:" as opposed to "http:" is a very simple way, and also
> > contains direct feedback.  The user knows (hopefully) that the
> > extra "s" means it's intended to be secure (at least, we can hope
> > for it, can't we?  :-)).
> 
> :)
> 
> I'd imagine that many products would follow the lead of Netscape
> and MS with a separate checkbox, as is already available for EMail
> and news servers.
>
> In our software (CUPS and Print Pro) the user can force
> encryption via config files or environment variables (crude, but
> sufficient for now while we work out the functional requirements)
> I anticipate we'll be adding a command-line option to force
> encryption (e.g. "lpr -E" or something like that), with similar
> options in the GUIs.
The reason that this sort of thing works for mail and news is
that to a first order you're always talking to the same server
(your first hop server). The problem is that with HTTP you 
have to talk to a wide variety of servers, many of whom do
not support encryption. In such cases, requiring TLS tends
to result in not being able to connect to anyone.

What you really want is some way for the server to tell you
that TLS is required and then the client can insist on it.
"https://" serves this purpose but HTTP upgrade has no corresponding
signal.

> That said, I don't think HTTP Upgrade will replace https.  They
> each have their places - I just hope that browsers start
> supporting HTTP Upgrade (at least the server-initiated kind)
> so that we don't have to write a hack-and-a-half to work around
> browser limitations...
Unfortunately, in many situations the confidential information
is in the client's request. In such situations server upgrade
is of little value since the client has already transmitted
its confidential information by the time it knows it should upgrade.


-Ekr

-- 
[Eric Rescorla                                   [EMAIL PROTECTED]]
                http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to