----- Original Message -----
From: "Peter Crowther" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Sent: Monday, September 22, 2008 12:19 PM
Subject: RE: HTTPS and Virtual Hosts
From: Johnny Kewl [mailto:[EMAIL PROTECTED]
I actually cant see any
reason why the hand shake couldnt be extended to look at the
incoming URL...
Because the URL (or at least the host header) would have to be sent over the
wire in cleartext, as it's before the encrypted connection is negotiated.
This is an information disclosure vulnerability.
- Peter
http://support.microsoft.com/kb/257591
If it send the HOST info in step one.... and the server chose the correct
cert.... I see no problem, the secure session hasnt even kicked in yet ;)
So what are they not allowing?
I think the only vulnerability is to the CA's biz model ;)
If not what is the vulnerability? Whatever cert is sent what oput there by
the admin dudes, and will be checked client side anyway ;)
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
