[thelist] quick ssl question
Judah McAuley
judah at alphashop.com
Tue Nov 28 17:23:43 CST 2000
At 06:06 PM 11/28/2000 -0500, you wrote:
>um, i dunno why, but i could swear i've seen plain https URLs in
>my logs as referrers...
>
>is that what you mean?
>
>can you test it?
We could both be right. My understanding (which is limited), is that a
browser goes to a server containing the ip address of the secure url that
was requested. They then perform a handshake. The web server presents a
certificate representing the credentials of the site being secured. Those
credentials include the fully qualified domain name, the authority issuing
the certificate, and the details about the company to whom the certificate
was issued. If the credentials are acceptable under the security
restrictions set by the browser, then keys are exchanged and encryption is
set up. Commonly, those security restrictions would require the
certificate on the server to have a valid expiration date, be issued by a
trusted chain of authority (Verisign, Thawte, etc.), and have a fully
qualified domain name which matches the requested domain name. Once those
restrictions are met and the encryption keys are set up, then the full url
is requested over the encrypted connection and data gets passed back and forth.
It could very well be that https urls are sent as plain-text referrers to
non-secure pages. The encrypted session has ended and the referer
information is sent by the browser, so it may be a browser implementation,
rather than a server side HTTP 1.0 spec sort of thing. It could also be
that I'm wrong about order in which url requests/encryption happens.
As far as testing goes, I think you would have to use a packet sniffer and
see what is being passed over the wire. If it's in plain text, then it's
not encrypted.
Hope this helps,
Judah
More information about the thelist
mailing list