Nxdomain redirect revenue

Chris Adams cmadams at hiwaay.net
Tue Sep 27 20:44:10 CDT 2011


Once upon a time, Owen DeLong <owen at delong.com> said:
> No, it isn't because it requires you to send the domain portion of the URL
> in clear text and it may be that you don't necessarily want to disclose even
> that much information about your browsing to the public.

If you don't want even the site you are browsing public, HTTPS is not
the solution.  Without SNI, HTTPS is one-site-per-IP (nobody uses the
subjectAltName to host multiple different sites on the same IP in
practice), so all somebody has to do it fetch the certificate from the
same IP/port and look at the CN/subjectAltName.  Either that's the site
you went to, or you accepted the host/cert mismatch (and are a target
for spoofing).

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.



More information about the NANOG mailing list