On Tue, Nov 10, 2009 at 6:37 PM, Eric Covener <covener@xxxxxxxxx> wrote: > On Tue, Nov 10, 2009 at 6:20 PM, Stephen Love <stephenlove@xxxxxxxx> wrote: >> So what you are telling me is that there IS no REAL 2-way handshaking going >> on. Then we've lost ALL hope of security. >> > > What's "REAL" in this context? It's not authenticated and doesn't > result in some session establishment unless you configure your > application to require/manage such a thing? > > -- > Eric Covener > covener@xxxxxxxxx [clip] Yes, why don't you tell us exactly what you want to do, what's your end goal? Visitor stats? Geographic locating? Authentication of a real-world identity? There's a lot of very bright and very knowledgeable people on this list, so if there's any way at all to do what you want, then there is a very good chance that somebody here will be able to tell you. It just might not be done the way you think it should be. As many of us have said, TCP is an end to end protocol. And in fact, it is stateful, so you can send messages back and forth between the two end points for as long as the connection is open. There is a handshake that goes on between the two end points to setup this connection, but this is not any sort of real authentication process that confirms the identity of either end. What TCP gets you is pretty good confidence that you are talking to the same person you were when you started the conversation, but even that confidence is really only upheld in the absence of active attacks like IP spoofing, and it provides absolutely no confidence that there aren't other people listening to the conversation, and potentially even participating in the conversation. If you're looking for security: like making sure no one else is listening to the conversation, no one else is modifying the conversation data, and or making sure that the person on the other end is who they claim to be...then you're going to need a much more sophisticated protocol than TCP, IP, or HTTP. SSL/TLS provides all these things, with the latest TLS version believed to be quite secure with current technologies and techniques. HTTPS layers HTTP over a secure SSL or TLS connection, and is available in Apache with mod_ssl. Your comment that "we've lost ALL hope of security" is quite accurate with regards to HTTP, TCP, and IP alone. These protocols were really not designed with any attention to security as security wasn't really an acknowledged concern at the time they were created. Thus we have add on protocols like SSL and TLS. Anyway, back to my point: tell us what you're actually trying to do and there's a good chance someone can help you, as long as you're willing to let go of any preconceived notions on how to get the job done (that's always the biggest stumbling block to learning something new). Cheers, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|