httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Scott Hess" <sc...@avantgo.com>
Subject Re: Upcoming 'Upgrade' draft
Date Wed, 21 Jul 1999 15:56:13 GMT
Ben Laurie <ben@algroup.co.uk> wrote:
> Dean Gaudet wrote:
> > On Mon, 19 Jul 1999, Ben Laurie wrote:
> > > "Ritcey, Benjamin" wrote:
> > > > If I'm understanding this correctly, this would allow the
long-sought-after
> > > > SSL virtual host, no?
> > >
> > > You mean name-based SSL virtual hosts, I presume? In which case, yes.
> > > IP/port-based SSL virtual hosts have always been possible, of course.
> >
> > I'm not convinced ... it feels to me like there's a privacy problem if
the
> > client sends anything unencrypted other than the "please let's do ssl"
> > request.
>
> The "please let's do ssl" request include the Host: header, as per the
> spec. If you want to debate this, you are on the wrong list :-)

I wouldn't think that would be the security problem, though, would it?  If
you have the wherewithal to see the Host: header the server will see, then
you most likely have the wherewithal to see the IP address that packet is
targetted to.  Since you have to use IP-based virtual hosts for SSL right
now, knowing the human-readable hostname shouldn't be any worse than knowing
the IP address.

I'd guess he (Dean) was referring to something else?

Later,
scott



Mime
View raw message