[Cryptography] TLS2
Hanno Böck
hanno at hboeck.de
Mon Sep 30 10:14:06 EDT 2013
On Mon, 30 Sep 2013 11:47:37 +0200
Adam Back <adam at cypherspace.org> wrote:
> I think lack of soft-hosting support in TLS was a mistake - its
> another reason not to turn on SSL (IPv4 addresses are scarce and can
> only host one SSL domain per IP#, that means it costs more, or a
> small hosting company can only host a limited number of domains, and
> so has to charge more for SSL): and I dont see why its a cost worth
> avoiding to include the domain in the client hello. There's an RFC
> for how to retrofit softhost support via client-hello into TLS but
> its not deployed AFAIK.
It's called SNI and it is widely deployed. All browsers and all
relevant web servers support it.
However, it has one drawback: It doesn't work with SSLv3, which means
it breaks every time browsers do a fallback on SSLv3. And they do quite
often, because they retry SSLv3 connects if TLS connections fail. Which
is also a security problem and allows downgrade attacks, but mainly it
means with weak internet connections you often get downgraded
connections.
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130930/d7252afe/attachment.pgp>
More information about the cryptography
mailing list