On 2/22/19 10:15 PM, Tim via users wrote:
Samuel Sieb:
This hasn't been true for a long time. I don't remember the
acronym, but you can have an unlimited number of website hostnames on
the same IP address that all have their own unique certificates.
"SNI"? RFC'd in 2003, and still not supported by all browsers, but
appears to be by all the major web server software.
Yes, that's the one and it's supported by all major browsers and most
command line tools.
I was under the impression that /that/ problem was unsolveable. Due to
both web client and server first trying to connect *before* requesting
the hostname, therefore it wasn't possible to provide a certificate for
the right host. Of course if the HTTPS protocols have changed, but it
appears not, just an addition has been made:
SNI put the requested domain name into the client's TLS negotiation, so
the server can provide the right site's certificate.
Right, it was unsolvable without extending the protocol. And it
theoretically works for any protocol using TLS, not just HTTP.
The requested hostname is not encrypted, so it can be spied upon.
Experiments are afoot to encrypt this, too, but only very recently
(last year).
And won't be used for many years until client adoption is high enough,
just like SNI.
In most cases, it probably doesn't matter that some third party could
find out you wanted to connect to a particular website (which used to
be hidden with the old way of doing HTTPS, although they still knew the
IP you were connecting to, and could see what DNS lookup you'd done
just prior). But it can be used for surveillance and censorship.
Without SNI, there would only be one website on an IP and you could get
the hostname from the certificate anyway. So it doesn't really make any
difference privacy-wise.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx