TLS is negotiated on the channel before any data is sent on the channel (RFC 2818). Other protocols, most notably ESMTP, use a STARTTLS mechanism to negotiate the initiation of the TLS encryption.

"Security through obscurity" isn't secure. If nothing else, remember that the client machine is outside of your domain, and you cannot be certain in any way that the VM your application is running in hasn't been compromised.

-Kyle H

On Sat, Mar 14, 2009 at 1:14 PM, Andy Burnett andy.burnett@knowinnovation.com wrote:

I had a brilliant idea today! Instead of bothering with authentication, I would use unguessable URLs (and/or arguments) for my application - yes I know it is hardly unique, but it might solve a problem for me.

Anyway, after recovering form the shock of my idea, I suddenly realised it would be completely useless if the URL is transmitted in plain text.  Does anyone know when the encryption in an SSL session actually kicks in?  And is there anything I can set on WAKom to ensure that the URL is protected?

Cheers Andy

---

Beginners mailing list Beginners@lists.squeakfoundation.org http://lists.squeakfoundation.org/mailman/listinfo/beginners