ietf
[Top] [All Lists]

Re: Stopping loss of transparency...

2005-08-18 03:11:09
On 18-aug-2005, at 6:10, Nicholas Staff wrote:

Does this work on port 443? I would assume the SSL security checks
wouldn't accept this.

I believe the FQDN is not encrypted,

If you connect to www.example.com with SSL then there are two names that are relevant: the one typed by the user (or clicked or whatever) and the one in the SSL certificate for the server. If this communication is redirected, I assume the server it's redirected to doesn't have a valid certificate for www.example.com, even though it probably has a valid certificate for some other name. This should trigger a warning or even a failure.

though the part of the url after the
FQDN is (so one could redirect based on https:// and/or specific FQDN's
(whether http or https).

Even though the DNS FQDN and the X.509 CN are available in the clear, the HTTP 1.1 "host" is encrypted, as are any HTTP responses such as a redirect. I don't see how you could get to that stage without an SSL warning.

But it could very well be that there is a warning and they assume people will ignore it.

If you've ever used websense I would assume the technology is similar.

Not familiar with that...

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



<Prev in Thread] Current Thread [Next in Thread>