Re: SSL-Security loophole?

[Stephanie Wright <swright@xxxxxxxxx>]

> Dear tenon,
>
> I hope that I can be quite clear about my problem and that it is solvable.
>
> I have a secure domain, it has a verisign cert etc and works well 
> (fast!) and gives me an encrypted domain.
>
> However I find myself in EXACTLY the same situation as before:
>
> If you delete all CA's from your browser then log into the domain 
> you are prompted to accept the unknown cert. If you do all is well.
>
> However..and this concerns me (and should you all), if you refuse 
> the cert..you are then able to view the site NON-ENCRYPTED. What 
> appears secure is in fact not. If you never fail mode test this you 
> would never know.
>
> OK, how do I force the server to REFUSE the connection if not 
> secure-other servers do this as I have tried the above with them.
>
> I know that there are apache directives to do this, how do I implement them?

Do you have a non-SSL host set up for the same domain? Or is it the 
default host/domain for the server? In either of those cases, non-SSL 
requests will be served.

In the virtual host for SSL is not the default for the machine, and 
it doesn't have a matching non-SSL VH entry then all requests to that 
VH should only be SSL. Requests made with "http" should say server 
not responding.
--
    Stephanie J. Wright

---------------------------------------------------------------------
Tenon Intersystems                                       805-963-6983
1123 Chapala Street                                 swright@xxxxxxxxx
Santa Barbara, CA 93101                          http://www.tenon.com
---------------------------------------------------------------------

----
Tenon Intersystems' WebTen Mailing List
To unsubscribe: send mail to webten-request@xxxxxxxxx with the 
subject: unsubscribe
Find searchable Mailing List archives at
http://listsearch.blueworld.com/webtensearch.lasso