Re: [Erlyaws-list] yaws and SSL...

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On 03/02/2011 10:45 PM, Peter W. Morreale wrote:
> On Wed, 2011-03-02 at 22:08 +0100, Hans-Christian Esperer wrote:
>> Excerpts from Peter W. Morreale's message of Wed Mar 02 15:57:42 +0100 2011:
>>> What I'd like to do is have non-SSL requests (eg: http://[host]/login)
>>> "turn on" SSL between the browser and yaws prior to displaying the login
>>> page.  Is this as simple as performing a redirect to
>>> https://[host]/login?   Is this a case for redirect_self() instead?
>>
>> That's one way of doing it as far as I can tell. What exactly is your
>> idea, though? Why do you not link to the https version directly?
>>
>
> We likely will.  This is merely for the case of someone initially
> entering in the site.  My thinking is that a non-ssl request causes a
> redirect to the https side, for a saml login.   Hence the other
> questions.

Just use a regular redirect from the http site to the https site.
Standard stuff that everyone does.

>
>> Also, you should keep in mind that anything that "turns on" SSL from
>> http can be circumvented; i.e., have a look at SSLStrip:
>> http://www.thoughtcrime.org/software/sslstrip/
>>
>
> Thanks for this, I will listen.

Don't listen too much, as far as I can tell this is basically
irrelevant in real life. Requires arpspoof or similar.

/klacke