[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] TLS-"transport layer security" & LYNX

From: David Woolley
Subject: Re: [Lynx-dev] TLS-"transport layer security" & LYNX
Date: Sun, 29 Jul 2018 00:12:29 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 28/07/18 23:39, Travis Siegel wrote:
I thought the whole reason httpd 1.1 was produced was specifically for this reason.  Why do they need multiple methods of producing the same result, especially when one breaks existing standards?

Because the request URI hasn't been sent at the time that the appropriate certificate for the host needs to be selected. It is only sent after encryption is established, based on that host name.

Although the average web consumer doesn't seem to understand it, knowing that you are talking to the intended host is critical to secure sockets being truly secure. Without that, you are vulnerable to a man in the middle attack.

Even without the host being in clear text, there are quite a lot of side channels that could be used to make a good guess as to which page on an a server is actually being accessed, in particular checking the length of the response.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]