Maybe It's Snake Oil All the Way Down
Eric Rescorla
ekr at rtfm.com
Fri Jun 6 17:49:37 EDT 2003
Tim Dierks <tim at dierks.org> writes:
> At 09:47 PM 6/4/2003, Peter Clay wrote:
> >You can't really hide this info with SSL: because of a number of design
> >decisions, you can only have one SSL site per IP address. The server has
> >to present a certificate - including site name - before the client sends
> >the Host: header indicating which site you want to see. So the
> >eavesdropper can work out what site you're visiting by looking solely at
> >the IP address.
>
> This isn't an SSL flaw; this is an HTTPS flaw, and it is repaired by
> RFC 2817, which is, as far as I know, sadly unimplemented in the field.
Unfortunately, 2817 is totally broken. What you want is the
TLS extensions draft, which is on its way to RFC even as we speak.
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list