Secure URLs

Secure URLs

Post by Mikhail Kuperbl » Mon, 31 Jan 2000 04:00:00



It appears that once secure URL is called (via https://...),
every URL that is called from within that original secure URL
automatically inherits encrypted (i.e. https://...) status if they
are coded as:

<a href="foo.html">foo</a> or <a href="/cgi-bin/foo.cgi">foo</a>.

Is there any way to force the above URLs to always revert to
a non-secure (i.e. http://...) connection short of calling a fully
qualified "http://www.foo.xxx://foo.html"? Thanks.

Server version: Apache/1.3.11 (Unix)

-mk

 
 
 

Secure URLs

Post by Peter » Mon, 31 Jan 2000 04:00:00



> It appears that once secure URL is called (via https://...),
> every URL that is called from within that original secure URL
> automatically inherits encrypted (i.e. https://...) status if they
> are coded as:

> <a href="foo.html">foo</a> or <a href="/cgi-bin/foo.cgi">foo</a>.

> Is there any way to force the above URLs to always revert to
> a non-secure (i.e. http://...) connection short of calling a fully
> qualified "http://www.foo.xxx://foo.html"? Thanks.

In general, not that I'm aware of. You could try using a <BASE> tag on
the document with the hyperlink, like
<BASE HREF="http://www.example.com/">, but that would also apply to
other references on the page, most notably the SRC attributes of <IMG>
tags. So you'd have to make other tags fully qualified, e.g.
<IMG SRC="https://www.example.com/foo.png" ALT="Foo">.

Another approach I have taken with Netscape's Enterprise server is to
make a file-not-found error handler function that redirects to a
different server. So the user initially requests
https://www.example.com/foo.cgi?bar and, the SSL server not having
such a URI, the client is redirected to
http://www.example.com/foo.cgi?bar. The biggest problem I've
encountered with that is that any "#" internal name refs in the
original link will be lost. (It's also a waste of bandwidth and SSL
server resources; you just have to balance that cost against the cost
of fixing the HREF's). I assume something similar is possible in
Apache; I've never had to try.

-Peter

--
http://www.bastille-linux.org/ : working towards more secure Linux systems

 
 
 

Secure URLs

Post by Alan J. Flavel » Mon, 31 Jan 2000 04:00:00



Quote:> It appears that once secure URL is called (via https://...),
> every URL that is called from within that original secure URL
> automatically inherits encrypted (i.e. https://...) status if they
> are coded as:

> <a href="foo.html">foo</a> or <a href="/cgi-bin/foo.cgi">foo</a>.

Of course.  This has nothing specifically to do with secure URLs, it's
a natural consequence of the rules for resolving relative URLs with
respect to the base URL of the document.

Quote:> Is there any way to force

Oh dear.  The standard answer to all such questions is "force does not
work on the WWW".  However, for once it's not that bad.

Quote:> the above URLs to always revert to
> a non-secure (i.e. http://...) connection short of calling a fully
> qualified "http://www.foo.xxx://foo.html"?

You can obviously specify a BASE tag in HTML.

But you might want to keep in mind that browsers tend to alert users
about leaving a secure site, which is understandable for security
reasons; so you could be causing them quite a lot of nuisance with
security alerts if you expect them to be entering and leaving the
secured server while browsing around.

As always, the use of a BASE tag can make page previewing inconvenient
(i.e prior to posting onto the actual server).  If you work in that
way, you might want to leave the BASE out until you're ready to
actually publish the page to the server.

Quote:> Server version: Apache/1.3.11 (Unix)

OK, it's good to provide as much relevant detail as possible when
posting questions.  But in this particular instance, it's a feature of
the protocols and of the behaviour of client browsers, so I don't
think your actual server makes any difference in this regard.
 
 
 

1. avoid warning of redirection to non-secure url from secure url

I am trying to implement a web login mechanism that uses
ssl to transmit encrypted password.  After the web server
cgi checks the password, it will send a redirection message
back to the browser to get a page from non-secure server.

HTTP/1.1: 302 Redirection
Location: http://..../

But I keep getting a warning message from the browser saying
a non-secure page is redirected from a secure page.  I want
to get rid of the daunting warning.  What can I do?

I check the hotmail login, and they are able to change the
secure url to a non-secure url after login.  Does anyone
have any clue?

Thanks a lot.

Dowson

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

2. compressing my home directory

3. Secure URL's for http/ftp?

4. Copying CD (???)

5. secure servers - paths and URLs

6. ISP and resolv.conf prob.

7. Secure Forms URLs

8. Athlon XP 1600+ and _mmx_memcpy symbol in modules

9. Secure form URLs

10. Secure Secure Secure

11. Netscape Commerce Server (Redirecting URLs and URL Aliases)

12. Redirecting Virtual Host URL to real URL - HOW?

13. mod_rewrite URL-->URL