Jonath writes: "As a browser, we do some things to help our users here,
but we can’t solve the problem. https resists this kind of surveillance
and tampering well, but requires sites to provide 100% of their content
over SSL."
http://blog.johnath.com/2009/03/05/deep-packet-inspection-considered-harmful/
One of the biggest blockages with SSL is that small sites cannot easily
provide HTTPS because Apache httpd and IIE do not easily handle
virtualised HTTPS.
The demand for TLS/SNI is there. The threat is there.
What is holding it back is labelling: currently, TLS/SNI is seen as a
"minor feature request" when it is really a major security bug, a flaw
in the original design. It's a bug because people don't use HTTPS and
instead send their data totally in the clear; the worst sort of bug,
because the attacker won without having to attack.
Any news on progress?
iang
