httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian G <>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Thu, 09 Oct 2008 09:59:17 GMT

> As we all know, this will not be in 2.2.10... Please recall that
> things must be in -trunk before being viable for backport to 2.2.x.

It's impossible to even express how disappointing this is ;(

There are only two changes in TLS on the server side that have been
identified to have any effect on phishing [1].  TLS/SNI is the easy one.

A httpd fix will almost work by itself;  the browsers already did
their part [2].  Only the config changes implemented by all here are
needed on the web server to turn the LAMPs on in a million small but
secured sites.

Which makes this the #1 easy fix for security in existing code
bases, today, and since around 2004 [3].  This massive injection of
activity will flow through in dozens of ways, e.g., by pulling more
and more Linux guys into thinking about securing systems.

What are the blockages?  Mozo have offered money but don't know what
to do or who to talk to?


[1] The other is the PSK one which requires re-coding on the client
side to be useful.  Nice idea, but may take years to roll out.

[2] in a concerted and serious effort from 2006 or so, the browser
manufacturers implemented TLS/SNI.  They also deprecated SSL v2, and
actively chased sites to switch.  TLS/SNI was one of the two reasons
for actively going out there and badgering the sites, I forget the
other reason.

[3] The rest is really hard, like KCM and security UI.  It requires
end to end changes, and a lot of security re-thinking.

View raw message