[13485] in cryptography@c2.net mail archive
Re: Maybe It's Snake Oil All the Way Down
daemon@ATHENA.MIT.EDU (Tim Dierks)
Fri Jun 6 17:36:19 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 06 Jun 2003 15:07:45 -0400
To: Peter Clay <pete@flatline.org.uk>, Ian Grigg <iang@systemics.com>
From: Tim Dierks <tim@dierks.org>
Cc: cryptography@metzdowd.com
In-Reply-To: <Pine.LNX.4.21.0306050233340.1558-100000@mccoy.flatline.org
.uk>
At 09:47 PM 6/4/2003, Peter Clay wrote:
>You can't really hide this info with SSL: because of a number of design
>decisions, you can only have one SSL site per IP address. The server has
>to present a certificate - including site name - before the client sends
>the Host: header indicating which site you want to see. So the
>eavesdropper can work out what site you're visiting by looking solely at
>the IP address.
This isn't an SSL flaw; this is an HTTPS flaw, and it is repaired by RFC
2817, which is, as far as I know, sadly unimplemented in the field.
- Tim
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
