tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Kewl" <>
Subject Re: [OT] RE: HTTPS and Virtual Hosts
Date Mon, 22 Sep 2008 13:01:58 GMT

----- Original Message ----- 
From: "Peter Crowther" <>
To: "'Tomcat Users List'" <>
Sent: Monday, September 22, 2008 2:30 PM
Subject: [OT] RE: HTTPS and Virtual Hosts

[Marked OT as this is not even remotely about Tomcat]

> From: Johnny Kewl []

... OK...

> If it send the HOST info in step one....

... which it doesn't as far as I can see...

> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)

Yes, exactly.  So anything sent across the wire (such as the host header) is 
subject to eavesdropping.

The URL, in particular, MUST NOT be sent in cleartext - consider a URL of 
the form *.  The 
user would no doubt expect SSL to defend his/her access to that URL from 
eavesdropping :-).

The case for not sending the host header in cleartext is weaker, but still 
present.  Consider a blog site such as LiveJournal, for example.  It hosts a 
range of content, separated onto one hostname per blog.  Some of that 
content is pretty explicit, and some people might get rather upset if they 
knew that *even though they thought they were on a secure channel* then 
others could eavesdrop on the mere fact that they were reading *that* 
content, rather than some other innocent content that happened to be on the 
same IP.  So I consider that the ID vul is still present, even via 
disclosure of just the host header.

> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)

You're thinking about ID vuls from the side of the server admin.  Broaden 
your thinking - what might a *client* get upset about?

                - Peter

Ok... its off thread, but I disagree.... the secure session doesnt start out 
secure... even a certificate is clear text, dont see the big deal... once 
you in a session, different story...
I guess this means you not going to help me with my new book ;)
    Curve Ball technology for biz sake... ha ha

The most powerful application server on earth.
The only real POJO Application Server.
See it in Action :

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message