[145116] in North American Network Operators' Group
Re: Nxdomain redirect revenue
daemon@ATHENA.MIT.EDU (Chris Adams)
Tue Sep 27 21:45:51 2011
Date: Tue, 27 Sep 2011 20:44:10 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <67EF0A3B-714E-4856-9E85-8D1B1E9AC150@delong.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Once upon a time, Owen DeLong <owen@delong.com> said:
> No, it isn't because it requires you to send the domain portion of the URL
> in clear text and it may be that you don't necessarily want to disclose even
> that much information about your browsing to the public.
If you don't want even the site you are browsing public, HTTPS is not
the solution. Without SNI, HTTPS is one-site-per-IP (nobody uses the
subjectAltName to host multiple different sites on the same IP in
practice), so all somebody has to do it fetch the certificate from the
same IP/port and look at the CN/subjectAltName. Either that's the site
you went to, or you accepted the host/cert mismatch (and are a target
for spoofing).
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
