[145105] in North American Network Operators' Group
Re: Nxdomain redirect revenue
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Tue Sep 27 18:09:49 2011
In-Reply-To: <CAL9jLaaOdE3djf6UnYGwdBnuGRnQ3iMbc+QAMT4nYtKL5LDhdg@mail.gmail.com>
Date: Tue, 27 Sep 2011 17:08:42 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
> how does tls/https help here? if you get sent to the 'wrong host'
> whether or not it does https/tls is irrelevant, no? (save the case of
> chrome and domain pinning)
Because the operator of the "wrong host" cannot obtain a SSL certificate for
the right host's domain from a legitimate CA.
When the user types in '[therightdomain].com'
and their browser immediately sends them to https://therightdomain.com
the HTTPS request will fail and show the user an error message if the
site is the wrong one,
instead of allowing the wrong server to produce a response.
To be clear, I am suggesting HTTPS should be the default, all servers
should support it,
and once a browser learns that a site supports HTTPS, it should
maintain a memory of that
fact in a hash table, and refuse to access the site over HTTP unless
specifically requested
(in order to prevent downgrade attacks) and refuse to try HTTP first
when a new domain is entered.
The http:// schema should be removed/deprecated, and replaced with
insecurehttp://
And plain HTTP only used first if the user types that.
That is, HTTPs should become assumed.
Regards,
--
-JH
