On 28/07/18 23:39, Travis Siegel wrote:
I thought the whole reason httpd 1.1 was produced was specifically for this reason. Why do they need multiple methods of producing the same result, especially when one breaks existing standards?
Because the request URI hasn't been sent at the time that the appropriate certificate for the host needs to be selected. It is only sent after encryption is established, based on that host name.
Although the average web consumer doesn't seem to understand it, knowing that you are talking to the intended host is critical to secure sockets being truly secure. Without that, you are vulnerable to a man in the middle attack.
Even without the host being in clear text, there are quite a lot of side channels that could be used to make a good guess as to which page on an a server is actually being accessed, in particular checking the length of the response.
_______________________________________________ Lynx-dev mailing list Lynx-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/lynx-dev
