On 05/07/2016 01:05 PM, Dan Ritter wrote:
x509 certs don't care about IPs; the browser matches the cert's CN
(Common Name) against the domain name it was requesting.
That makes sense.
So it should be possible to do an anti-DDos service with tons of IP
addresses, but still forward on in encrypted form to a smaller number of
real machines. Incapsula could have different certificates for different
domains, but it is too much work, so they have gigantic certificates for
a herds of unrelated domains. Right?
-kb
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
