Nxdomain redirect revenue

Jimmy Hess mysidia at gmail.com
Tue Sep 27 22:08:42 UTC 2011


On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow
<morrowc.lists at gmail.com> wrote:

> how does tls/https help here? if you get sent to the 'wrong host'
> whether or not it does https/tls is irrelevant, no? (save the case of
> chrome and domain pinning)

Because the operator of the "wrong host"    cannot obtain a SSL certificate for
the right host's domain from a legitimate CA.

When the user types in  '[therightdomain].com'
and their browser immediately sends them to  https://therightdomain.com

the HTTPS request will fail and show the user an error message if the
site is the wrong one,
instead of allowing the wrong server to produce a response.


To be clear, I am suggesting HTTPS should be the default, all servers
should support it,
and once a browser learns that a site supports HTTPS,  it should
maintain a memory of that
fact in a hash table,  and refuse to access the site over HTTP unless
specifically requested
(in order to prevent downgrade attacks) and refuse to try HTTP first
when a new domain is entered.

The http://  schema should be removed/deprecated,  and replaced with
insecurehttp://
And plain HTTP only used first if the user types that.

That is, HTTPs should become assumed.


Regards,

--
-JH




More information about the NANOG mailing list