httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ian G <>
Subject Reminder on TLS/SNI
Date Fri, 05 Dec 2008 18:41:14 GMT
According to the patch page, a reminder is good!

Superficially, it is easy to think of SNI as a feature enhancement. 
Instead, it is better to think of it as a security bug fix to SSL, at 
the protocol level.

The most common failure mode of any security system is that it is not 
used.  Turned off, left out, assumed away, this has been known since the 
time of Kherckhoffs.  SSL is no exception to this, 99% of all HTTP sites 
out there fail to protect this way.  The first cause of the failure to 
use SSL for security is that https cannot be easily shared across one IP 
number.  IP#s are a crucial, limited resource.  (The second cause is 
certs :)

The result of these two barriers is that they encouraged SSL not to be 
used. Bypassed.  "We don't need it that much."  As this effected more 
sites than actually use SSL properly, there is little doubt that the 
overall security impact of the bug is several orders of magnitude more 
than any other security bug ever seen with SSL.

Here's hoping!


View raw message