[Marked OT as this is not even remotely about Tomcat] > From: Johnny Kewl [mailto:[EMAIL PROTECTED] > http://support.microsoft.com/kb/257591
... OK... > If it send the HOST info in step one.... ... which it doesn't as far as I can see... > and the server chose the correct > cert.... I see no problem, the secure session hasnt even > kicked in yet ;) Yes, exactly. So anything sent across the wire (such as the host header) is subject to eavesdropping. The URL, in particular, MUST NOT be sent in cleartext - consider a URL of the form https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The user would no doubt expect SSL to defend his/her access to that URL from eavesdropping :-). The case for not sending the host header in cleartext is weaker, but still present. Consider a blog site such as LiveJournal, for example. It hosts a range of content, separated onto one hostname per blog. Some of that content is pretty explicit, and some people might get rather upset if they knew that *even though they thought they were on a secure channel* then others could eavesdrop on the mere fact that they were reading *that* content, rather than some other innocent content that happened to be on the same IP. So I consider that the ID vul is still present, even via disclosure of just the host header. > If not what is the vulnerability? Whatever cert is sent what > oput there by > the admin dudes, and will be checked client side anyway ;) You're thinking about ID vuls from the side of the server admin. Broaden your thinking - what might a *client* get upset about? - Peter * With thanks to User Friendly (http://www.userfriendly.org), over the years, for warping my mind enough to devise this URL. --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]