On Mon, 30 Sep 2013 11:47:37 +0200 Adam Back <a...@cypherspace.org> wrote:
> I think lack of soft-hosting support in TLS was a mistake - its > another reason not to turn on SSL (IPv4 addresses are scarce and can > only host one SSL domain per IP#, that means it costs more, or a > small hosting company can only host a limited number of domains, and > so has to charge more for SSL): and I dont see why its a cost worth > avoiding to include the domain in the client hello. There's an RFC > for how to retrofit softhost support via client-hello into TLS but > its not deployed AFAIK. It's called SNI and it is widely deployed. All browsers and all relevant web servers support it. However, it has one drawback: It doesn't work with SSLv3, which means it breaks every time browsers do a fallback on SSLv3. And they do quite often, because they retry SSLv3 connects if TLS connections fail. Which is also a security problem and allows downgrade attacks, but mainly it means with weak internet connections you often get downgraded connections. -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
signature.asc
Description: PGP signature
_______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
