Maybe It's Snake Oil All the Way Down
Tim Dierks
tim at dierks.org
Fri Jun 6 15:07:45 EDT 2003
At 09:47 PM 6/4/2003, Peter Clay wrote:
>You can't really hide this info with SSL: because of a number of design
>decisions, you can only have one SSL site per IP address. The server has
>to present a certificate - including site name - before the client sends
>the Host: header indicating which site you want to see. So the
>eavesdropper can work out what site you're visiting by looking solely at
>the IP address.
This isn't an SSL flaw; this is an HTTPS flaw, and it is repaired by RFC
2817, which is, as far as I know, sadly unimplemented in the field.
- Tim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list