[erlang-questions] Yaws with HTPPS authentication + HTTP

Bob Ippolito bob@REDACTED
Thu May 24 22:52:55 CEST 2007

HTTPS *is* HTTP over SSL. That's what the S means (unless it means
TLS). It's transport level encryption that prevents eavesdropping and
man in the middle attacks. This is what uses the CPU.  It's still
*just* HTTP other than the transport, in the same way that HTTP is the
same over wireless or wired LAN.

Typical HTTPS implementations do of course have a server certificates
so that the client can verify they're talking to the same server over
several different requests. Client certificates are different in that
each client needs their own certificate that the server can use to
verify who the client is. If you're using client certs you don't need
logins or passwords.


On 5/24/07, Patrick <patrickerj@REDACTED> wrote:
> Generally https data transfer is encrypted with ssl, but if i use
> session identifiers then what is the difference between http and
> https? Generally as i understand https is much more heavy on cpu than
> his counterpart. But without certificate authentication what is the
> advantage of https anyway?
> Patrick
> > > @Bob
> > > Well actually when i sign into gmail i actually land on https page and
> > > after i login it redirects me on http page...
> > > Anyway i will use https for starters until i understand how to
> > > transfer credentials without loosing security to http pages on my site
> > > (i presume the user is checked for credentials with https every now
> > > and then - don't know how this works) .
> >
> > The page with the login form is always https, of course. I was
> > ignoring the URL of that in my examples because it's irrelevant. It
> > doesn't have to be even on the same domain using the kind of
> > authentication scheme that Google does. The page you *started at*, the
> > one that redirected you to the login page, is the one that determines
> > where you go after logging in.
> >
> > HTTPS is just transport level security (unless you're using client
> > certificates, which you're not). Authentication of this kind is at the
> > application level and the transport you're using (http vs. https)
> > doesn't change anything. It's usually some expiring token, stored in a
> > cookie, that you can verify on every request.
> >
> > -bob
> >
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://www.erlang.org/mailman/listinfo/erlang-questions

More information about the erlang-questions mailing list