Re: SSL-Security loophole?

[Mark A Bennett <mark.bennett@xxxxxxxx>]

> > Dear tenon,
> >
> > I hope that I can be quite clear about my problem and that it is solvable.
> >
> > I have a secure domain, it has a verisign cert etc and works well 
> > (fast!) and gives me an encrypted domain.
> >
> > However I find myself in EXACTLY the same situation as before:
> >
> > If you delete all CA's from your browser then log into the domain 
> > you are prompted to accept the unknown cert. If you do all is well.
> >
> > However..and this concerns me (and should you all), if you refuse 
> > the cert..you are then able to view the site NON-ENCRYPTED. What 
> > appears secure is in fact not. If you never fail mode test this you 
> > would never know.
> >
> > OK, how do I force the server to REFUSE the connection if not 
> > secure-other servers do this as I have tried the above with them.
> >
> > I know that there are apache directives to do this, how do I implement them?
>
> Do you have a non-SSL host set up for the same domain?

No.


>  Or is it the default host/domain for the server?

No.

> In either of those cases, non-SSL requests will be served.

I have looked at this closely. It serves non encrypted data over https.

>
In the virtual host for SSL is not the default for the machine,

> and it doesn't have a matching non-SSL VH entry then all requests to 
> that VH should only be SSL. Requests made with "http" should say 
> server not responding.
> --
It does! but my point is that the pages are served with https!

This is most worrying and I am keeping this from my client. I have to 
understand why the server is doing this? and will need your help to 
do so.

Regards

Mark

----
Tenon Intersystems' WebTen Mailing List
To unsubscribe: send mail to webten-request@xxxxxxxxx with the 
subject: unsubscribe
Find searchable Mailing List archives at
http://listsearch.blueworld.com/webtensearch.lasso