Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.lang.java.security > #303

Re: the flip to HTTPS

From Mike Amling <mamling@chaff.us>
Newsgroups comp.lang.java.security
Subject Re: the flip to HTTPS
Date 2014-09-29 11:55 -0500
Message-ID <c8th74Fbq2vU1@mid.individual.net> (permalink)
References <ne801a92lkfu7s0or59c13qvvupu015s5q@4ax.com>

Show all headers | View raw

On 9/10/14 5:13 AM, Roedy Green wrote:
> I have noticed many sites flipping from HTTP: to HTTPS: even when the
> site has no confidential information.  I asked why.
>
> The answers I got:
>
> 1. Google is pushing it. They will bump your rankings if you do.
>
> 2. Google wants it universal to make life awkward for the snoops. They
> can go on a goose change decrypting pudding recipes.
>
> 3. HTTPS: is a more robust protocol.
>
> I have always assumed HTTPS: would necessarily completely defeat
> caching.  Surely transport cannot be permitted to know anything at all
> about the structure of the stream it is transmitting, or does it?
>
> Without HTTPS a cacher can serve the same page to several different
> nearby users.

The entity holding the relevant certificate's private key can share 
session keys with other systems. It's fairly common for load balancing 
to share on a LAN. Some sites share the session keys with a content 
delivery network, or caching proxies.

> CloudFront has a funny sort of HTTPS where the cloud encrypts the last
> leg with the caching server's certificate, not the original source's.
> This allows some caching.

Distributing a certificate's private key, or using multiple certificates 
for multiple servers, can also be made to work.

> You can't do a thing with HTTPS to troubleshoot with Wireshark.

Sometimes if you're lucky all you need is traffic analysis.

> I would presume compression is becoming standard along with
> encryption.  I don't know about SPDY.
>
> The irony is this flip to HTTPS: leaves EMAIL still generally
> unprotected. It needs a major overhaul.

--Mike Amling
SSBkb24ndCBzZWUgd2hhdCBhbnkgb2YgdGhpcyBoYXMgdG8gZG8gd2l0aCBKYXZhLg==

Back to comp.lang.java.security | Previous | NextPrevious in thread | Find similar

Thread

the flip to HTTPS Roedy Green <see_website@mindprod.com.invalid> - 2014-09-10 03:13 -0700
  Re: the flip to HTTPS Mike Amling <mamling@chaff.us> - 2014-09-29 11:55 -0500

csiph-web