From: Claes W. <kl...@ta...> - 2011-03-02 22:20:37
|
On 03/02/2011 10:45 PM, Peter W. Morreale wrote: > On Wed, 2011-03-02 at 22:08 +0100, Hans-Christian Esperer wrote: >> Excerpts from Peter W. Morreale's message of Wed Mar 02 15:57:42 +0100 2011: >>> What I'd like to do is have non-SSL requests (eg: http://[host]/login) >>> "turn on" SSL between the browser and yaws prior to displaying the login >>> page. Is this as simple as performing a redirect to >>> https://[host]/login? Is this a case for redirect_self() instead? >> >> That's one way of doing it as far as I can tell. What exactly is your >> idea, though? Why do you not link to the https version directly? >> > > We likely will. This is merely for the case of someone initially > entering in the site. My thinking is that a non-ssl request causes a > redirect to the https side, for a saml login. Hence the other > questions. Just use a regular redirect from the http site to the https site. Standard stuff that everyone does. > >> Also, you should keep in mind that anything that "turns on" SSL from >> http can be circumvented; i.e., have a look at SSLStrip: >> http://www.thoughtcrime.org/software/sslstrip/ >> > > Thanks for this, I will listen. Don't listen too much, as far as I can tell this is basically irrelevant in real life. Requires arpspoof or similar. /klacke |