Re: SSL explanation (was: Re: Global Namespaces)

[Luke <..hidden..>]

On Sat, 13 Mar 2010, Adam Thompson wrote:

> Chris Travers wrote:
> > On Sat, Mar 13, 2010 at 5:21 PM, Luke<..hidden..>  wrote:
> > > I am assuming SSL.  Correct me if I am wrong, but my recollection is that
> > > the query string (I.E. get) is in the clear with SSL, whereas post data is
> > > not.
> > > Do I have a fundimental misunderstanding or massive brain fart here?
> >
> > The SSL negotiation occurs as part of the socket establishment (hence
> > the name).  This is why you can't supply different certificates based
> > on, say, the HOST header.  SSL protects the whole socket, not just the
> > payload.
>
> Translation: yes, you have a fundamental misunderstanding.  The second
> most common one, in my experience, so I won't accuse you of a "massive
> brain fart", as amusing as that might be :-).
>
> Since understanding of how SSL works is still quite rare in practice,
> and *many* people arrive at erroneous conclusions based on incorrect or
> incomplete knowledge, I'd like to expand a bit on Chris' statements:

Very nice explanation.  If, at some point in the last [disterbingly large 
number of years building SSH and VPN tunnels of various kinds] I had 
stopped for a bit to consider the name in depth, I might have got there.
I certainly should have, and I'm going to tell myself that I would have, 
if I had only taken the time to really think about it.  Yeah, that's the 
ticket.

That fine writeup goes into my "useful stuff to keep around and forward" 
file.

Luke