Secure Mosaic / Net surfing

michael shiplett michael.shiplett at umich.edu
Sat Jun 25 02:47:04 PDT 1994


"vc" == Vincent Cate <Vincent.Cate at FURMINT.NECTAR.CS.CMU.EDU> writes:

vc> I was surfing off the edges of my page and came across a page
vc> about secure http/mosaic. The page is:

vc>      http://hoohoo.ncsa.uiuc.edu/docs/PEMPGP.html

  This is not the SHTTP work being done for CommerceNet--it is more a
proof of concept for doing PK encryption of HTTP requests. It has a few
shortcomings:
  1) The server identity is passed over an insecure connection without
     any way for the client to verify it.
  2) The server's public key are obtained via finger.
  3) Requests are subject to replay attacks.

  To be fair, the document mentions (2) & (3).

  There are, at least, a couple projects adding security to
HTTP--Shen Security Enhancements to HTTP and Secure HTTP.

The former may be found at
    http://info.cern.ch/hypertext/WWW/Shen/ref/shen.html

while SHTTP is available as
    WWW   http://www.commerce.net/information/standards/drafts/shttp.txt
    Email shttp-info at commerce.net
    FTP   ftp://ftp.commerce.net/pub/standards/drafts/shttp.txt

  I do not know if the differences between the two have been resolved
so that there is a single proposal for secure web transactions.

michael






More information about the cypherpunks-legacy mailing list