Re: Email Question - OT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/22/19 10:15 PM, Tim via users wrote:

Samuel Sieb:

This hasn't been true for a long time.  I don't remember the
acronym, but you can have an unlimited number of website hostnames on
the same IP address that all have their own unique certificates.


"SNI"?  RFC'd in 2003, and still not supported by all browsers, but
appears to be by all the major web server software.
Yes, that's the one and it's supported by all major browsers and most command line tools. 


I was under the impression that /that/ problem was unsolveable.  Due to
both web client and server first trying to connect *before* requesting
the hostname, therefore it wasn't possible to provide a certificate for
the right host.  Of course if the HTTPS protocols have changed, but it
appears not, just an addition has been made:

SNI put the requested domain name into the client's TLS negotiation, so
the server can provide the right site's certificate.
Right, it was unsolvable without extending the protocol. And it theoretically works for any protocol using TLS, not just HTTP. 


The requested hostname is not encrypted, so it can be spied upon.
Experiments are afoot to encrypt this, too, but only very recently
(last year).
And won't be used for many years until client adoption is high enough, just like SNI. 


In most cases, it probably doesn't matter that some third party could
find out you wanted to connect to a particular website (which used to
be hidden with the old way of doing HTTPS, although they still knew the
IP you were connecting to, and could see what DNS lookup you'd done
just prior).  But it can be used for surveillance and censorship.
Without SNI, there would only be one website on an IP and you could get the hostname from the certificate anyway. So it doesn't really make any difference privacy-wise. 
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux