On Sun, 30 May 2004, robert w hall wrote:
Every time I read the playstation2-linux lists I realise how very useful dillo will be when it gets just a little further.
Please elaborate a bit on this subject.
How's the short/medium term future of https looking?(*) If an official plugin is in the offing then that's probably what we should all wait for.
The short term looks very good, at this time we only need some TLS or SSLlib savvy guys, with some time willing to polish our current prototype. The main problem with the past prototypes and patches is that they don't handle connection caching (nor provided for an easy way to implement that), and the most important, they don't do certificate validation! The current prototype for SSL (using dpi) provides for an easy way of implementing connection caching, and for asking the user (using dillo's API) whether to continue on unverified connections, the SSL part of this verification is not yet done though. As Madis put it:
Most important thing missing from the ssl specific code is certificate verification - it MUST be done in order to have any actual security. In its current form it just gives a way to access SSL sites, but not secure access.
I know people look forward to the day when they can complete their online shopping with dillo, but we must be very careful to provide real security. This is key. Unfortunately I'm not an encryption expert, and we need some help from a savvy guy (the chances of a SSL freshman to make mistakes is very high). I'd love to have a TLS based dpi for https (TLS lib is GPLed and is a requisite to NPTL, so it'll become as ubiquitous as SSL lib). The current prototype is SSLlib based, but is enough to start polishing and extending the code. Some time ago Madis wrote an SSL gateway for Dillo. After some work, I decided to integrate it through the dpi framework (to empower it with dpip and also to avoid some quirks by using the standard way to extend dillo). That is the current prototype. Just in case an SSL/TLS savvy person is reading: the work with the dpi is quite simple, you don't need to know about Dillo's internal working, actually the https dpi is a C program that's independent of Dillo. The dpi just needs to make the secure connection to the remote server (and verify the cerificate), then forward the http stream to dillo, or ask whether to close or proceed when it can't verify. This is done with a simple dpid tag, all the SSL stuff happens inside the dpi.
Otherwise, is the patch from 0.7 resurrectable??
Sure, but not worth. At least the current prototype can POST. Cheers Jorge.-