Re: How to ensure SSL transactions

2005-10-05 Thread Max Cooper
Jeff, It is common to have SSL between the browser and apache (httpd), and no SSL between apache (httpd) and Tomcat. So you don't need to install a cert on your tomcat. Depending on how you are proxying requests from your httpd server to tomcat (or if you also have load balancers and other compon

Re: How to ensure SSL transactions

2005-10-05 Thread Jeff Thorne
I had a follow up question to the thread on SSL transactions. Does the SSL cert absolutely need to be installed in the servlet container? My ISP is telling me they will only install certs within the apache web server and not Resin/Tomcat. Is there away to proxy SSL requests between apache web se

Re: How to ensure SSL transactions

2005-10-04 Thread Tim Coy
Ahh, I see So what I think you are saying is that I should force the Credit Card transaction form to https even if it is submitted from a http page. That makes sense. -- Tim Coy Timco Electronics Pty Ltd [EMAIL PROTECTED] > The ideal mode of operation for SSLEXT is that the user does not get > f

Re: How to ensure SSL transactions

2005-10-04 Thread Max Cooper
On Tue, 2005-10-04 at 18:14 -0400, Dave Newton wrote: > Tim Coy wrote: > > >Point taken and I hadn't considered that. > >Most users tend to only login once they intend to make a purchase. Then all > >transactions are via SSL Including browsing for more items to purchase. > > > I haven't found that

Re: How to ensure SSL transactions

2005-10-04 Thread Tim Coy
The idea of "flopping" sounds good to me :-) Thanks for the tips -- Tim Coy Timco Electronics Pty Ltd [EMAIL PROTECTED] > I haven't found that to be the case; I nearly always see just the > "important data" forms being protected via SSL, which is what I would > expect. > > In any case, sslext

Re: How to ensure SSL transactions

2005-10-04 Thread Dave Newton
Tim Coy wrote: Point taken and I hadn't considered that. Most users tend to only login once they intend to make a purchase. Then all transactions are via SSL Including browsing for more items to purchase. I haven't found that to be the case; I nearly always see just the "important data" forms

Re: How to ensure SSL transactions

2005-10-04 Thread Tim Coy
Point taken and I hadn't considered that. Most users tend to only login once they intend to make a purchase. Then all transactions are via SSL Including browsing for more items to purchase. Once there session expires forward the browser back to the non SSL pages. This does not however preclude the

Re: How to ensure SSL transactions

2005-10-04 Thread Dave Newton
Tim Coy wrote: My question is What is the best way to ensure that once a user has signed on that all transactions are via the SSL? sslext: http://sslext.sourceforge.net/ is one way. I assume you only want to put CC/login stuff under SSL (otherwise it's unnecessary server drag). Dave -