Maybe It's Snake Oil All the Way Down
Peter Clay
pete at flatline.org.uk
Wed Jun 4 21:47:14 EDT 2003
On Tue, 3 Jun 2003, Ian Grigg wrote:
> But, there is a big personal cost with reputational
> information. Few people would want to see my credit
> card info, but I can think of lots that would be keen
> on seeing my adult browsing, my gaming addition, or
> my participation in my kleptomaniacal therapy group,
> not to mention anything embarrassing I might get up
> to!
You can't really hide this info with SSL: because of a number of design
decisions, you can only have one SSL site per IP address. The server has
to present a certificate - including site name - before the client sends
the Host: header indicating which site you want to see. So the
eavesdropper can work out what site you're visiting by looking solely at
the IP address.
This could have been avoided by defining two different "secure" protocols,
one of which offers scalable anonymous browsing and the other of which
offers guarantees about who you're posting your credit card to. It's still
possible that the P2P people will reinvent the web with an anonymising
routing protocol and end-to-end encryption, but don't bank on it.
Pete
--
Peter Clay | Campaign for _ _| .__
| Digital / / | |
| Rights! \_ \_| |
| http://www.ukcdr.org
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list