tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Crowther <Peter.Crowt...@melandra.com>
Subject [OT] RE: HTTPS and Virtual Hosts
Date Mon, 22 Sep 2008 12:30:58 GMT
[Marked OT as this is not even remotely about Tomcat]

> From: Johnny Kewl [mailto:john@kewlstuff.co.za]
> http://support.microsoft.com/kb/257591

... OK...

> If it send the HOST info in step one....

... which it doesn't as far as I can see...

> and the server chose the correct
> cert.... I see no problem, the secure session hasnt even
> kicked in yet ;)

Yes, exactly.  So anything sent across the wire (such as the host header) is subject to eavesdropping.

The URL, in particular, MUST NOT be sent in cleartext - consider a URL of the form https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg
*.  The user would no doubt expect SSL to defend his/her access to that URL from eavesdropping
:-).

The case for not sending the host header in cleartext is weaker, but still present.  Consider
a blog site such as LiveJournal, for example.  It hosts a range of content, separated onto
one hostname per blog.  Some of that content is pretty explicit, and some people might get
rather upset if they knew that *even though they thought they were on a secure channel* then
others could eavesdrop on the mere fact that they were reading *that* content, rather than
some other innocent content that happened to be on the same IP.  So I consider that the ID
vul is still present, even via disclosure of just the host header.

> If not what is the vulnerability? Whatever cert is sent what
> oput there by
> the admin dudes, and will be checked client side anyway ;)

You're thinking about ID vuls from the side of the server admin.  Broaden your thinking -
what might a *client* get upset about?

                - Peter

* With thanks to User Friendly (http://www.userfriendly.org), over the years, for warping
my mind enough to devise this URL.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message