[Cryptography] TLS2

Hanno Böck hanno at hboeck.de
Mon Sep 30 10:14:06 EDT 2013

On Mon, 30 Sep 2013 11:47:37 +0200
Adam Back <adam at cypherspace.org> wrote:

> I think lack of soft-hosting support in TLS was a mistake - its
> another reason not to turn on SSL (IPv4 addresses are scarce and can
> only host one SSL domain per IP#, that means it costs more, or a
> small hosting company can only host a limited number of domains, and
> so has to charge more for SSL): and I dont see why its a cost worth
> avoiding to include the domain in the client hello.  There's an RFC
> for how to retrofit softhost support via client-hello into TLS but
> its not deployed AFAIK.

It's called SNI and it is widely deployed. All browsers and all
relevant web servers support it.

However, it has one drawback: It doesn't work with SSLv3, which means
it breaks every time browsers do a fallback on SSLv3. And they do quite
often, because they retry SSLv3 connects if TLS connections fail. Which
is also a security problem and allows downgrade attacks, but mainly it
means with weak internet connections you often get downgraded

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130930/d7252afe/attachment.pgp>

More information about the cryptography mailing list