Once upon a time, Owen DeLong <[email protected]> said: > No, it isn't because it requires you to send the domain portion of the URL > in clear text and it may be that you don't necessarily want to disclose even > that much information about your browsing to the public.
If you don't want even the site you are browsing public, HTTPS is not the solution. Without SNI, HTTPS is one-site-per-IP (nobody uses the subjectAltName to host multiple different sites on the same IP in practice), so all somebody has to do it fetch the certificate from the same IP/port and look at the CN/subjectAltName. Either that's the site you went to, or you accepted the host/cert mismatch (and are a target for spoofing). -- Chris Adams <[email protected]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
