tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <>
Subject [OT] RE: HTTPS and Virtual Hosts
Date Mon, 22 Sep 2008 12:30:58 GMT
[Marked OT as this is not even remotely about Tomcat]

> From: Johnny Kewl []

... OK...

> If it send the HOST info in step one....

... which it doesn't as far as I can see...

> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)

Yes, exactly.  So anything sent across the wire (such as the host header) is subject to eavesdropping.

The URL, in particular, MUST NOT be sent in cleartext - consider a URL of the form
*.  The user would no doubt expect SSL to defend his/her access to that URL from eavesdropping

The case for not sending the host header in cleartext is weaker, but still present.  Consider
a blog site such as LiveJournal, for example.  It hosts a range of content, separated onto
one hostname per blog.  Some of that content is pretty explicit, and some people might get
rather upset if they knew that *even though they thought they were on a secure channel* then
others could eavesdrop on the mere fact that they were reading *that* content, rather than
some other innocent content that happened to be on the same IP.  So I consider that the ID
vul is still present, even via disclosure of just the host header.

> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)

You're thinking about ID vuls from the side of the server admin.  Broaden your thinking -
what might a *client* get upset about?

                - Peter

* With thanks to User Friendly (, over the years, for warping
my mind enough to devise this URL.

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message