Sysadmin by day, developer by night
Maybe What We Need Is httpe://

This is a follow up to my last post. Without actually writing any code I figured out a way to possibly pull of the idea in my previous post. It was a little complicated and had room to fail. It also didn’t cover keeping people logged in long term. Basically the whole “Remember me for x days” would be difficult to implement. It wouldn’t be impossible, but was complicated enough to make me think that maybe there is a better way.

Actually there is a better way, https. The problem I have with https is it costs money. Yea, not a lot, but still there is a cost associated with it and I like the whole idea of the free web. The nice thing about https is that it helps ensure you’re talking to who you think you’re talking to. That’s the whole point of ssl certificates. It’s not perfect, there have been problems in the past. However it’s a pretty good system that gets the job done.

I’m not proposing to change that. My idea is for when you need less secure data transmissions. httpe or http encrypted.

The basic principle is that requests and responses would be encrypted using a shared key between the client and server. The basic negotiation would be:

Client sends an unencrypted request, which consists of randomly generated key.
The Server responds with a response encrypted with the key sent by the browser. The payload being a new key.
The Client and Server could then begin encrypted conversations using the server generated key.

You could then set cookie headers and such as you like, for example to maintain persistent across sessions.

The risk of someone hijacking a session is limited to someone sniffing the original request. There would be some overhead. The server would need to maintain the key for at least the duration of the session. Then again, it already needs to do this for the session token any way.

At the worst this would allow people to set up and get basic sessions and encrypted traffic running for their prototype and early beta ideas without forking over the money for an ssl cert to start. Meanwhile the way we’ve been doing http sessions for years doesn’t really have to change.

Edit: HTTP 1.1 Upgrade header looks like a similar approach that’s probably a lot better than the one I came up with while drinking coffee. http://en.wikipedia.org/wiki/HTTP/1.1_Upgrade_header

Posted 3 months ago
Comments (View)
blog comments powered by Disqus
Technorati Profile