According to the patch page, a reminder is good!
Superficially, it is easy to think of SNI as a feature enhancement.
Instead, it is better to think of it as a security bug fix to SSL, at
the protocol level.
The most common failure mode of any security system is that it is not
used. Turned off, left out, assumed away, this has been known since the
time of Kherckhoffs. SSL is no exception to this, 99% of all HTTP sites
out there fail to protect this way. The first cause of the failure to
use SSL for security is that https cannot be easily shared across one IP
number. IP#s are a crucial, limited resource. (The second cause is
certs :)
The result of these two barriers is that they encouraged SSL not to be
used. Bypassed. "We don't need it that much." As this effected more
sites than actually use SSL properly, there is little doubt that the
overall security impact of the bug is several orders of magnitude more
than any other security bug ever seen with SSL.
Here's hoping!
iang
