Re: [tlug] telnet'ing to home with Java servlet

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "Josh" == Josh Glover <jmglov@example.com> writes:

    Josh> Jim, why do you think a proxy forces plaintext passwords
    Josh> with an HTTPS proxy? I do not doubt you, just wondering if
    Josh> you have specific example in mind.

It doesn't force plaintext anything.  However, unless you authenticate
the public key used to negotiate the session key, the proxy can spoof
the real server to you.  In that case, it can decrypt anything you
stuff into the SSL socket.

The point is that if you're setting this up yourself, you need to set
up authentication; HTTPS itself is no guarantee.  I don't think it's
terribly hard to do, but I doubt it's trivial to figure out for
yourself.


-- 
School of Systems and Information Engineering http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.