On 18-aug-2005, at 6:10, Nicholas Staff wrote:
Does this work on port 443? I would assume the SSL security checks
wouldn't accept this.
I believe the FQDN is not encrypted,
If you connect to www.example.com with SSL then there are two names
that are relevant: the one typed by the user (or clicked or whatever)
and the one in the SSL certificate for the server. If this
communication is redirected, I assume the server it's redirected to
doesn't have a valid certificate for www.example.com, even though it
probably has a valid certificate for some other name. This should
trigger a warning or even a failure.
though the part of the url after the
FQDN is (so one could redirect based on https:// and/or specific
FQDN's
(whether http or https).
Even though the DNS FQDN and the X.509 CN are available in the clear,
the HTTP 1.1 "host" is encrypted, as are any HTTP responses such as a
redirect. I don't see how you could get to that stage without an SSL
warning.
But it could very well be that there is a warning and they assume
people will ignore it.
If you've ever used websense I would assume the technology is similar.
Not familiar with that...
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf