Re: Switching to SSL under mod

I think what you are doing doesn't make much sense.

Let's break down redirects for two cases:

GET request: Carries all the information in the URL. You could redirect this request easily, but there is no point in doing that. Why? Because whoever was sniffing your traffic has already sniffed the data. Transfering the same data again over HTTPS just gives the attacker lots of clear text to try "known plaintext" attacks against your secret key.
POST request: POST request does not carry the data in the URL, that data is posted separately, once the connection is established. However, handling of redirected POST requests is extremely browser dependant.

In addition, if your form is directed to a HTTP address, the people filling out the form won't see the little "safe-data" lock in the corner of their browser window, even thought their data might be safe.

In short, if you control the forms enough that you could switch them from GET to POST, you control them enough to change the address to https. And if you find a way to implement what you're planing, it won't do you any good.

Except that you will learn something of mod_perl - that may or may not make it worth it to you.

Comment on Re: Switching to SSL under mod_perl

Replies are listed 'Best First'.
Re: Re: Switching to SSL under mod_perl by jest (Pilgrim) on Mar 09, 2004 at 16:48 UTC
I'm not sure I follow. If someone heads to a login page, there's no form yet. On their way, they're redirected over a secure link. When they get to the login page, they're on HTTPS. They enter secret information, it goes over HTTPS, and if they're appropriately authenticated, they get sent to some other page over HTTP, and there's no secret information being sent any more. It's the same for my other examples--a user tries to visit http://www.mysite.com/edit/secret_table?id=12, they get switched to a secure link before they get there, not after they're entered info. Back to mod_perl for a sec--does this have to be handled in a PerlTransHandler, or can I just remap the URL in the regular handler I'm using?	[reply]
Re: Re: Re: Switching to SSL under mod_perl by iburrell (Chaplain) on Mar 09, 2004 at 20:25 UTC
Whether you need mod_perl depends on how you determine if a page needs to be secure or not. If it is simple, like login.cgi and secret_table are always secure, then I would use mod_rewrite. If it is more complex, like secret_table is only protected for id=12, then you need to use mod_perl. I would consider trying to simplyify it so that the need to https is always. Also, you might want to consider doing everything with https. This doesn't work on a public login site but makes a lot of sense on an intranet. This has the advantage that you don't have to worry about errors in the access control since everything is encrypted.	[reply]