acmeattic-devel team mailing list archive

[Aditya Manthramurthy <aditya.mmy@xxxxxxxxx>]

On Saturday 10 July 2010 10:08 PM, Karthik Swaminathan Nagaraj wrote:
> HTTPS [1] just provides HTTP over SSL (as simple as that). Its the 
> browser's responsibility to verify the certificates. Mozilla has put 
> up a list of certificates that it uses [2] (from popular Certificate 
> Authorities). If we initiate a connection using SSL, the client 
> software obtains the server's certificate and verifies it against one 
> of these certificates that our application would carry. (We do not 
> have a browser in this picture).
> If our Server Core module were to listen on the HTTPS port (443), then 
> its actually hijacking a "well known" port for our application. This 
> means that the same machine cannot handle an HTTPS web server.
> If you are referring to writing the server core module as a web 
> application, it sounds weird to write a non-www application as a web 
> application. Also, I am sure DropBox and SpiderOak do not use HTTPS 
> for client_app-server_app interaction.
I was saying that the server process could listen to the clients via the 
web server which will listen on 443. This makes sure that no special 
firewall considerations are needed in most networks. If a browser can 
connect to https sites, so can the acmeattic client. In fact, both 
dropbox and spideroak use https [1,2]. I agree that server verification 
should also be done by the client, but at least until we add that 
functionality, the web browser can do it (we just need to point it to 
the https base url of the server site).

[1]: https://www.dropbox.com/help/23
[2]: 
https://spideroak.com/faq/are_there_any_special_firewall_settings_spideroak_needs