Nicholas Staff wrote:
On 17-aug-2005, at 15:34, Marc Manthey wrote:
Just to be sure: what were talking about is that when a customer
gets up in the morning and connects to www.ietf.org they get
www.advertising-down-your-throat.de instead, right?
yes , thats exactly what it does , they call it "Portal-Guided
Entrance" on port :80 and 443.
Does this work on port 443? I would assume the SSL security checks
wouldn't accept this.
I believe the FQDN is not encrypted, though the part of the url after the
FQDN is (so one could redirect based on https:// and/or specific FQDN's
(whether http or https).
That's beside the point. According to RFC 2818 section 3.1, where a hostname
is given in an https: URL, the client MUST check this hostname against the
name in the server's certificate. This check will fail if the connection is
redirected to a non-transparent proxy (assuming that the web browser is
complying to RFC 2818, no CA in the browser's trusted CA list has been
compromised, and the crypto is not broken).
--
David Hopwood
<david(_dot_)nospam(_dot_)hopwood(_at_)blueyonder(_dot_)co(_dot_)uk>
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf