On Tue, Feb 26, 2008 at 1:11 PM, tedd <tedd.sperling@xxxxxxxxx> wrote:
> At 12:10 PM -0500 2/26/08, Daniel Brown wrote:
> >On Tue, Feb 26, 2008 at 11:54 AM, tedd <tedd.sperling@xxxxxxxxx> wrote:
> >> At present, I use the actual directories (http/https) to determine if
> >> the operation of the script is secure or not.
> >
> > You also hijack other people's threads. No-no, Tedd! *slaps hand*
>
> It's a related hijack. And, it's "hijacked" (grammar police).
Check your tense, Mr. Sperling. You said, "At present, I use",
which sets the tense for my "You also hijack" statement. Grammar
Rent-A-Cop. ;-P
> At 9:51 AM -0800 2/26/08, Warren Vail wrote:
> >Most of my ISP's setup their servers to pull from the same base path for
> >both secure forms and non-secure forms, and I use something similar to below
> >to enforce the right one is being used. One of the benefits of doing this
> >is I can imbed the same images and graphics by using the same business path
> >for them and only changing the protocol (https). Most browsers will
> >complain if you imbed http images in a https form.
And rightly they should! Any embedded images, Flash movies,
scripts, frames, references, or objects can "sniff the wire" with
minimal manipulation. As a proof of concept back in 2005 (which still
works today), I modified an image to be used on MySpace which is able
to grab personal information and redirect to http://www.gfy.com/. And
no, that's not short for Goofy.com.... even though he is the best
cartoon character ever. The problem is, there's nothing MySpace (or
any site in which the graphic is displayed) can do about it, short of
disabling all remote src="" calls.
Thus, even locally, all things should be encrypted when sent on an
SSL connection. If not, why bother encrypting anything at all? A
house is only as secure as the strength of the glass in the windows.
On Tue, Feb 26, 2008 at 1:11 PM, tedd <tedd.sperling@xxxxxxxxx> wrote:
> You guys rock!
Damn straight.
> You gave me a different perspective of what http and https is. I was
> thinking it was an inherited directory thing when it's actually a
> protocol that can be declared regardless of where the scripts are
> located.
It's fun to learn, 'cause knowledge is power! ;-P
-------------------*
The More You Know!
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
