httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Galbavy <>
Subject Re: Upcoming 'Upgrade' draft
Date Wed, 21 Jul 1999 10:20:14 GMT
On Wed, Jul 21, 1999 at 10:49:41AM +0100, Tony Finch wrote:
> Well, if you can hoist into SSL mode with nothing in the clear other
> than the Host: header then the situation is no worse than it is now
> where the endpoints of the connection are public.

And in fact this makes it one better, since I *know* that in the UK at
least, web-hosting competitors would connect to IP addresses without
reverse PTR records (or anonymous records) to find out which IP-base
virtual host replyed on that address, and then use that to try to
poach business. With the increase of name-based non-SSL hosts this has
dies away I would hope.

This scheme, while allowing you to snoop the Host: header in the
clear, only does so if you can get to the wire, and not just use a
web-brower or telnet. Unscrupilous (sp?) sales people don;t get to
wires they don't control.

Peter Galbavy
Knowledge Matters Ltd

View raw message