Re: Question: HTTP PUT and SSL:

From: Alun Jones (alun@texis.com)
Date: 01/13/03

• Next message: Wade A. Hilmo [MS]: "Re: serving .exe files in IIS 6.0"
• Previous message: Joe: "cannot access secure sites"
• In reply to: Keith W. McCammon: "Re: Question: HTTP PUT and SSL:"
• Next in thread: Keith W. McCammon: "Re: Question: HTTP PUT and SSL:"
• Reply: Keith W. McCammon: "Re: Question: HTTP PUT and SSL:"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: alun@texis.com (Alun Jones)
Date: Mon, 13 Jan 2003 21:59:11 GMT

In article <u50poyyuCHA.2372@TK2MSFTNGP09>, "Keith W. McCammon" <km@km.com>
wrote:
>
>> 1) First, if we start an HTTP PUT from a page that has been encrypted with
>> SSL, the resulting file transfer is encrypted. True, false, depends?
>
>Correct.

Hmm? Obviously, HTTP isn't my main area of focus, but I thought that each
transaction needed an "https:" tag on it. If the page was transmitted with
"https:" at the start of its action URL, then the PUT will surely only be sent
in https if you've either left off the URN, or specified it as "https:". If
you've accidentally entered it as "http:", the data will go in the clear.

This is why it means little to have a padlock visible at the bottom of the
screen on a "secure" form - all this means is that the blank form was
delivered securely to you, not that the data you send back will be secured.
This has been a bone of contention on more than one site, where the bonehead
webmunchkin has to be shown that his 'secure' site is requiring its users to
transmit credit cards in the clear.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

-- 
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for XP/2000/NT.

---

• Next message: Wade A. Hilmo [MS]: "Re: serving .exe files in IIS 6.0"
• Previous message: Joe: "cannot access secure sites"
• In reply to: Keith W. McCammon: "Re: Question: HTTP PUT and SSL:"
• Next in thread: Keith W. McCammon: "Re: Question: HTTP PUT and SSL:"
• Reply: Keith W. McCammon: "Re: Question: HTTP PUT and SSL:"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Is this REALLY a secure site? ... >> How can anyone really know if an SSL or HTTPS connection is truly ... Even if it is theoretically secure ... major credit card company wound up making the authorization against my ... > site uses a numerical IP address: those are always bogus. ... (microsoft.public.windowsxp.general) Re: Secure an upload page ... The most secure way to do downloads might be to use NTFS ... If the upload page ... I am using https ... (microsoft.public.inetserver.iis.security) Re: At What Point Does the Security Begin? ... All secure forms examine this variable, and if empty redirect to the ... all pages behind the login are posted through SSL. ... in which I understand .NET uses a cookie behind ... not secure (it's called at http, not https) but posts to a page ... (microsoft.public.dotnet.security) Re: Ethernet cable question. ... I have developed Web HTTPS site ... solutions on the server and on the client end. ... *CAN* be secure. ... (microsoft.public.windows.vista.general) Re: Setting up HTTPS w/subdomain on Apache2 ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ... (Ubuntu)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)