Graham Leggett wrote:
I think you're missing the point I am trying to make. The addition of
SNI is a worthy feature to be added to httpd, ...
I think this is one of the biggest problems. Superficially, it is easy
to think of SNI as a feature enhancement. Instead, it is a security bug
fix to SSL.
The most common failure mode of any security system is that it is not
used. Turned off, left out, assumed away. SSL is no exception to this,
99% of all webservers fail this way. The first cause of the failure to
use SSL for security is that https cannot be easily shared across one IP
numbers, a crucial, limited resource.
(The second cause is certs :)
The security result was that it encouraged SSL not to be used.
Bypassed. "We don't need it." As this effected more sites than
actually use SSL, there is little doubt that the overall security impact
of the bug is several orders of magnitude more than any other security
bug ever seen with SSL.
httpd v2.3.0-alpha is to be tagged soon, which means SNI will start
being available in a release very soon, and SNI will start getting some
attention from end users.
That would be good!
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
