Nelson B wrote:
Ian G wrote:
Nelson explained this a while ago ... until the
browsers go to SSL3 / TLS 1.0 they cannot handle
virtual hosts.
Ian, If you're going to attribute explanations to me,
please be sure you get them right.
Oh, yes, absolutely, which is why I asked:
Ian G wrote:
> Nelson B wrote:
>
>> [here I have snipped an old message of mine that says that SSL2
>> servers are hindering the rollout of new optional TLS extensions. ]
>>
>> Ian, how is that stopping people from using encryption?
>
> Correct me if I am wrong, but it means that the
> virtual hosts capability in newer versions of
> SSL v3/TLS v1 are not available.
Thanks for any clarifications!
Today the browsers support all 3: SSL2 SSL3 TLS1
The new TLS extensions are incompatible with SSL2.
So until support for SSL2 is dropped, browsers will
not use the TLS extensions.
That I understood. I also understood that TLS
extensions is what enables multiple sites to
share one server and offer TLS.
Can you confirm my understanding of TLS - that the
ability to really properly share a server with distinct
certs like distinct HTTP/domains only happens when the
browsers stop initiating using SSL v2?
However, in your case, that's probably not really such a big deal.
SSL has had the ability to support multiple domain names in a single
cert for years. Numerous CAs now offer certs with multiple domain
names. You can serve the multiple domain names you want to serve
with a single cert. The browser will send the intended domain name
in the http header, as in non-secured browsing.
Are those the ones that cost three times as much?
So I can't mix a cheap cert with an expensive cert?
Does this mean that when I add a domain, I need a
new cert that includes that domain name in the list?
I hope you are not too offended, but I don't see that
as much of a solution!
(But you are totally 100% right, I didn't know that
sharing certs was possible between different companies
or sites or organisations. I'd just not ever do that,
it took me so sodding long to organise the first cert
that I've since let my "real ecommerce" certs expire,
I couldn't face the pain of dealing with renewing it
again :-( )
So my suggestion at the time was to simply set a
time schedule and state in a PR that Firefox
switches over to TLS 1.0 at a certain date, and
sites using SSL2 would suffer.
Any time mozilla disables a feature that works in IE, it only costs
mozilla marketshare. People who cannot reach a popular site with
mozilla cite this as another reason to go back to IE.
Sure. Times they are a-changing!. How many
SSL v2 sites are there out there?
(name them and shame them, I say. Take no
prisoners!)
Try looking through the bug database for SSL2 bugs.
There is a bug whose only purpose is to track SSL2-only sites.
OK, I've searched but I found either 200 bugs or
zorro bugs. Can you give me a bug number? I'll
vote in a millisec for it, but I find the bugzilla
interface non-trivial.
The other browsers would no doubt follow suit.
See the explanation above. If IE dropped it, the other browsers
with less market share would probably also immediately do so.
But none of them want to lose market share to the others.
Ok. So it's browser market share versus user site
security. Market share first, security second.
I see continual, repetitive press out there that
mozilla kicks arse on the security front, without
much substance to that. All bark no bite?
Now, obviously no one person is at risk of their SSL
session being breached, v2 or v3. But whole masses
of people (me and anyone struggling against the
world-wide shortage of IP numbers) are missing out
on the opportunity to protect their sessions.
I measure that as a loss to security. Security is
sacrificed to market share - are we agreed here?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
