You can't really hide this info with SSL: because of a number of design decisions, you can only have one SSL site per IP address. The server has to present a certificate - including site name - before the client sends the Host: header indicating which site you want to see. So the eavesdropper can work out what site you're visiting by looking solely at the IP address.
This isn't an SSL flaw; this is an HTTPS flaw, and it is repaired by RFC 2817, which is, as far as I know, sadly unimplemented in the field.
- Tim
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
