* Graham Leggett <[EMAIL PROTECTED]> wrote: <snip> > You forget that there is a trust issue here. SSL brings with it not only > encryption, but certification of the data that's being sent. If the SSL > protocol somehow allowed external unprotected and untrusted information > (like the name of the virtual host as you propose) into the equation, > you would lose the whole point of the SSL.
I dont see any problem with that. If something like an additional host-header is sent before the handshake starts, its just an kind of multiplexer - allows several different virtual hosts (not just only for http) sitting on the same socket. > Life is really simple right now - SSL happens on one layer, and HTTP > happens on the layer above that. Life is a little bit more complex. <snip> > >Well, that were the same folks who invented IPSEC, which is not > >NAT'able. > > Again, IPSEC guarantees that packets have not been tampered with, and > NAT tampers with packets, so it definitely won't work (although work has > been done to work around this problem). Don't forget the purpose of SSL: > verification that data has not been tampered with. It could be so easy if ipsec was just an tunnel between two points with encrypted payload and some unencrypted channel identification. Being dependent on the carrier endpoint IPs is completely nonsense and doesnt add any security. But it prevents ipsec usage through NAT firewalls. But linux-2.6-ipsec folks make it even worse. There's no longer an separate network interface per tunnel, instead theres an additional netfilter-like table which tells how to encrypt/decrypt for certain address ranges. That isn't just completely illogic, it also makes more complex routing/firewalling environments a real nightmare! Okay, okay, its getting OT ... Was just an example that IETF doesn't stand for well-engineered standards these days. cu -- --------------------------------------------------------------------- Enrico Weigelt == metux IT service phone: +49 36207 519931 www: http://www.metux.de/ fax: +49 36207 519932 email: [EMAIL PROTECTED] cellphone: +49 174 7066481 --------------------------------------------------------------------- -- DSL ab 0 Euro. -- statische IP -- UUCP -- Hosting -- Webshops -- ---------------------------------------------------------------------
