On Mon, 30 Sep 2013 11:47:37 +0200 Adam Back <[email protected]> wrote:
> I think lack of soft-hosting support in TLS was a mistake - its > another reason not to turn on SSL (IPv4 addresses are scarce and can > only host one SSL domain per IP#, that means it costs more, or a > small hosting company can only host a limited number of domains, and > so has to charge more for SSL): and I dont see why its a cost worth > avoiding to include the domain in the client hello. There's an RFC > for how to retrofit softhost support via client-hello into TLS but > its not deployed AFAIK. It's called SNI and it is widely deployed. All browsers and all relevant web servers support it. However, it has one drawback: It doesn't work with SSLv3, which means it breaks every time browsers do a fallback on SSLv3. And they do quite often, because they retry SSLv3 connects if TLS connections fail. Which is also a security problem and allows downgrade attacks, but mainly it means with weak internet connections you often get downgraded connections. -- Hanno Böck http://hboeck.de/ mail/jabber: [email protected] GPG: BBB51E42
signature.asc
Description: PGP signature
_______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography
