----- Original Message -----
From: "Peter Crowther" <[EMAIL PROTECTED]>
To: "'Tomcat Users List'" <users@tomcat.apache.org>
Sent: Monday, September 22, 2008 2:30 PM
Subject: [OT] RE: HTTPS and Virtual Hosts
[Marked OT as this is not even remotely about Tomcat]
From: Johnny Kewl [mailto:[EMAIL PROTECTED]
http://support.microsoft.com/kb/257591
... OK...
If it send the HOST info in step one....
... which it doesn't as far as I can see...
and the server chose the correct
cert.... I see no problem, the secure session hasnt even
kicked in yet ;)
Yes, exactly. So anything sent across the wire (such as the host header) is
subject to eavesdropping.
The URL, in particular, MUST NOT be sent in cleartext - consider a URL of
the form
https://www.innocentsite.com/myphotos/notsoinnocent/llamapr0n372.jpg *. The
user would no doubt expect SSL to defend his/her access to that URL from
eavesdropping :-).
The case for not sending the host header in cleartext is weaker, but still
present. Consider a blog site such as LiveJournal, for example. It hosts a
range of content, separated onto one hostname per blog. Some of that
content is pretty explicit, and some people might get rather upset if they
knew that *even though they thought they were on a secure channel* then
others could eavesdrop on the mere fact that they were reading *that*
content, rather than some other innocent content that happened to be on the
same IP. So I consider that the ID vul is still present, even via
disclosure of just the host header.
If not what is the vulnerability? Whatever cert is sent what
oput there by
the admin dudes, and will be checked client side anyway ;)
You're thinking about ID vuls from the side of the server admin. Broaden
your thinking - what might a *client* get upset about?
- Peter
Ok... its off thread, but I disagree.... the secure session doesnt start out
secure... even a certificate is clear text, dont see the big deal... once
you in a session, different story...
I guess this means you not going to help me with my new book ;)
Curve Ball technology for biz sake... ha ha
---------------------------------------------------------------------------
HARBOR : http://www.kewlstuff.co.za/index.htm
The most powerful application server on earth.
The only real POJO Application Server.
See it in Action : http://www.kewlstuff.co.za/cd_tut_swf/whatisejb1.htm
---------------------------------------------------------------------------
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
