[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SSL explanation (was: Re: Global Namespaces)
- Subject: Re: SSL explanation (was: Re: Global Namespaces)
- From: Chris Travers <..hidden..>
- Date: Sat, 13 Mar 2010 20:05:20 -0800
On Sat, Mar 13, 2010 at 7:18 PM, Adam Thompson <..hidden..> wrote:
> Chris Travers wrote:
>> On Sat, Mar 13, 2010 at 5:21 PM, Luke<..hidden..> wrote:
>>> I am assuming SSL. Correct me if I am wrong, but my recollection is that
>>> the query string (I.E. get) is in the clear with SSL, whereas post data is
>>> not.
>>> Do I have a fundimental misunderstanding or massive brain fart here?
>>
>> The SSL negotiation occurs as part of the socket establishment (hence
>> the name). This is why you can't supply different certificates based
>> on, say, the HOST header. SSL protects the whole socket, not just the
>> payload.
>
> Translation: yes, you have a fundamental misunderstanding. The second
> most common one, in my experience, so I won't accuse you of a "massive
> brain fart", as amusing as that might be :-).
>
> Since understanding of how SSL works is still quite rare in practice,
> and *many* people arrive at erroneous conclusions based on incorrect or
> incomplete knowledge, I'd like to expand a bit on Chris' statements:
>
Great explanation. Also one more reference is the Wikipedia page on
"Transport Layer Security" (which is basically a later version of
SSL).
Best Wishes,
Chris Travers