On Tue, Sep 27, 2011 at 04:09:03PM -0700, Owen DeLong wrote: > > > Yes, it is realistic to expect every mom-and-pop posting a personal > > web site to utilize a provider that implements SNI, and the sooner > > they do it. > > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public.
That's what happens without SNI. Without SNI, the IP address of the server is sent in the clear; anyone who captures that traffic knows the IP address, and, without SNI, anyone who want s to translate the IP address to a domain name need only connect to the server and see what certificate is presented. -- Brett