[147348] in cryptography@c2.net mail archive
Re: [Cryptography] TLS2
daemon@ATHENA.MIT.EDU (Hanno =?UTF-8?B?QsO2Y2s=?=)
Mon Sep 30 14:03:13 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 30 Sep 2013 16:14:06 +0200
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno@hboeck.de>
To: Adam Back <adam@cypherspace.org>
In-Reply-To: <20130930094737.GA9468@netbook.cypherspace.org>
Cc: cryptography@metzdowd.com, Crypto List <cryptography@randombit.net>,
ianG <iang@iang.org>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--===============4039262052630528186==
Content-Type: multipart/signed; micalg=PGP-SHA512; protocol="application/pgp-signature"; boundary="=_zucker.schokokeks.org-11647-1380550456-0001-2"
This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.
--=_zucker.schokokeks.org-11647-1380550456-0001-2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On Mon, 30 Sep 2013 11:47:37 +0200
Adam Back <adam@cypherspace.org> wrote:
> I think lack of soft-hosting support in TLS was a mistake - its
> another reason not to turn on SSL (IPv4 addresses are scarce and can
> only host one SSL domain per IP#, that means it costs more, or a
> small hosting company can only host a limited number of domains, and
> so has to charge more for SSL): and I dont see why its a cost worth
> avoiding to include the domain in the client hello. There's an RFC
> for how to retrofit softhost support via client-hello into TLS but
> its not deployed AFAIK.
It's called SNI and it is widely deployed. All browsers and all
relevant web servers support it.
However, it has one drawback: It doesn't work with SSLv3, which means
it breaks every time browsers do a fallback on SSLv3. And they do quite
often, because they retry SSLv3 connects if TLS connections fail. Which
is also a security problem and allows downgrade attacks, but mainly it
means with weak internet connections you often get downgraded
connections.
--=20
Hanno B=C3=B6ck
http://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42
--=_zucker.schokokeks.org-11647-1380550456-0001-2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=signature.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (GNU/Linux)
iQIcBAEBCgAGBQJSSYcwAAoJEKWIAHK7tR5CB8wP/3DJxwuPwN99YF5oI44o+H+R
U78gzW8I7CKypul8cj3nQ7ZqDzuigq6fO/Bm4RXy2a1xbUKAnGmGNbGJlt4Q85Xz
SogeQZwY5oUxuTFU/fF2kwexFdRI3ij8fDX6vwhiE0VXkVs2WVkXKf5JJReqVkdQ
xrjsGHjHquRrt/JgLBI4Zz5odYcFPVeq1JZM7cxIbVVEJR6gCryjOhqTT/KX6xbj
je6S18cACwL4TlI8gYvmcraPhEkN4cxM8E3Ao0+PaWCC2MwIletzHX4nWI8iraWi
gAuRes8C7dqU5AqxA/+qUsoRgIkpU9DfeCifAf+k5PXGdgIMpFvM7ORXcCuaDrEj
cC4RWa5HVgu0cu3zGV7vWsH9SvXdImUlq4kuU19Yh8luNiToYEYpb0+FnGgRl5Ws
UQWabewgvRfdfQ/jxLWHXxF/ZHAVJfRGuRmNREaM5FcBdZiKjTweG+gQWzeK7xPC
nzjB2T4iUqVK1ZNCqPi7xihgyb/zS1PJrCT7Wms3pCyevMH6eGXJX6xU4rsKpRpt
dPpvzM4xhcXfgyuVFaINdSvqFGJ28CrGP27bDuRqig/4DGfsDRmPTOJapL3/xLQV
amDBi+UJ42gAnIgUoKNxtQBUZH9kWkrwQq2RUY2iPbk+oWmVRF95FTL0xajCS2e3
rDsOWgJdA/saPu4bSkkb
=F6pg
-----END PGP SIGNATURE-----
--=_zucker.schokokeks.org-11647-1380550456-0001-2--
--===============4039262052630528186==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============4039262052630528186==--
