 |
 |
Find a programming school near you
php3-list | 199807
Date: 07/29/98
- Next message: Adelino Monteiro: "[PHP3] Error in "control_structures_inline.h""
- Previous message: Paul D Thomas: "Re: [PHP3] Shopping cart"
- In reply to: Cameron Just: "Re: [PHP3] Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Cameron Just wrote:
> SSL requires only the server to be setup to use the
> SSL protocol? My normal PHP3 pages can just sit in
> the SSL area of the server and I need do no more.
> The server and browser take care of it all automatically?
Yes. SSL is a protocol level thing. You can think of it as an
additional encryption and authentication layer that has been
wedged between layer 4 (TCP) and layer 5 (HTTP) of your protocol
stack. It is almost transparent to the calling server.
> The reason I ask is that I can never find any clear
> documentation about how to actually use this protocol.
> We have SSL setup on our servers and if it's
> that easy to use then I will be using it alot more from now on.
No, you won't.
Because of the nature of SSL, there are several requirements and
constraints which don't scale well. You don't want to make SSL
your standard protocol, as desireable as it may seem at first.
Because SSL is a thing on top of TCP, SSL negotation and
authentication is being done at TCP connect time. That is BEFORE
http kicks in and it is BEFORE a HTTP "Host:" request header is
presented. So if someone connects to your HTTP SSL server, you
can't know at TCP/SSL connect time, which host you are supposed
to be and which certificate you should present. In essence this
boils down to "IP-less hosting with SSL is not possible" or "Each
SSL server requires and consumes an IP address".
Next thing is that certain (many!) parts of a HTTP connect are
known plaintext. GIFs for example are known plaintext and have a
characteristic length. So are many protocol headers. Thus, you
don't want to encrypt static content with the same session key as
the variable and valueable information you want to protect. This
boils down to "HTTP 1.1 extension such as session keep alive
don't mix well with SSL. One request, then close connection.".
Together with TCP slow start this isn't going to improve
performance...
In essence, you have to swap SSL and HTTP on the protocol stack
and to implement a HTTP specific security protocol to fix this.
Kristian
-- SH Online Dienst GmbH, Kristian Koehntopp, Siemenswall, 24107 Kiel, +49 431 386 436 00 Using PHP3? See our web development library at http://phplib.shonline.de/ (GPL)-- PHP 3 Mailing List http://www.php.net/ To unsubscribe send an empty message to php3-unsubscribe <email protected> To subscribe to the digest list: php3-digest-subscribe <email protected> For help: php3-help <email protected> Archive: http://www.php.net/mailsearch.php3
- Next message: Adelino Monteiro: "[PHP3] Error in "control_structures_inline.h""
- Previous message: Paul D Thomas: "Re: [PHP3] Shopping cart"
- In reply to: Cameron Just: "Re: [PHP3] Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
