Http or https
kee at kagi.com
Sat Nov 23 21:38:01 EST 2002
On Friday, November 22, 2002, at 04:20 PM, Chipp Walters wrote:
> I got a question for all of you https users.... Exactly what do you
> want it
> for? Please cite some examples.
We have databases of customer data that need to be searched for us to
do customer support. We can live with HTTP for people on our internal
LAN but we do have remote employees and they are not allowed to pass
customer data via clear text. We could do a secure tunnel but setting
that up and managing it would be a pain and expensive.
These database systems have internal Web server CGIs that are allowed
to access them. I have really nice interfaces into this data with lots
of business logic using RR. But no one outside our local LAN is allowed
to use these tools until the data is encrypted when going over public
We have thousands of suppliers who use our services and for now, their
only access is via web browser (via HTTPS).
> IOW, would it be better to have an encrypt
> tool instead?
No. I do not want to be the person building encryption. If someone
intercepted personal data because I was transferring it via a home brew
security system, I think that would be a very bad thing for our
> Next question... how much would everyone be willing to pay for an https
> somewhere in-between?
I would not use an HTTPS external. The focus is security and the
easiest way to defeat HTTPS is to build a trap door into the code. How
do I know that an HTTPS external is safe to use? How do I know that it
has been tested adequately? How do I know that the code I've downloaded
has not been compromised (like the Sendmail version a couple months
ago). As an external there is just not much that an individual can do
to convince me to trust their code.
For me, HTTPS has to come with RR and it has to be backed by them. They
have to fear that they will suffer a loss of reputation if there is
something evil in their HTTPS code, and do enough code reviews and
testing to convince themselves that they are supplying a secure set of
Also, I'd feel a lot better if every RR user could use and observe the
RR HTTPS solution. The more users the better.
Just my paranoid 2 cents.
More information about the Use-livecode