[CLUE-Tech] apache ssl only on non-well-known port?
Angelo Bertolli
angelo at freeshell.org
Fri Apr 2 19:33:30 MST 2004
You know, I've been thinking about this, and I'm starting to think that
the methods we use for https are incorrect. When I thought about it I
realized that we're trying to defend against two distinct types of
security attacks using one single method--and separating those issues
and the methods would be better. The first is encryption, which allows
us to communicate through a connection and not let anyone "hear" what
we're saying. The second is knowing that who we are talking to is who
they say they are. They current way https is set up, these two things
are joined at the hip. Your server key is used for your encryption, and
your certificate is based on your server key. Does anyone see a better
way to do this?
Angelo
More information about the clue-tech
mailing list