David Woolley dixit:
> Because the request URI hasn't been sent at the time that the
> appropriate certificate for the host needs to be selected. It is only
> sent after encryption is established, based on that host name.
Yes, but I showed no less than three ways to deal with that
problem in a less privacy-reducing way.
And *forcing* clients to use SNI instead of merely accepting
it is way out of proportions.
> Although the average web consumer doesn't seem to understand it, knowing
Note that there’s more to the internet than the web, by the way.
> Even without the host being in clear text, there are quite a lot of side
> channels that could be used to make a good guess as to which page on an
> a server is actually being accessed, in particular checking the length
> of the response.
That may be so, but there are counter-measures for those,
especially if the sheer amount of available pages makes
that untenable.
The existence of other side channels is no excuse to not
plug this one, or rather, to open it in the first place.
And yes, I see this pretty absolutely.
bye,
//mirabilos
--
Yes, I hate users and I want them to suffer.
-- Marco d'Itri on gmane.linux.debian.devel.general
_______________________________________________
Lynx-dev mailing list
Lynx-dev@nongnu.org
https://lists.nongnu.org/mailman/listinfo/lynx-dev
