[Gllug] Couple of questions about HTTPS
Doug Winter
doug at pigeonhold.com
Thu Nov 18 09:07:41 UTC 2004
Richard Jones wrote:
> I read up on this, and the restriction seems to arise because the Host
> header is part of the HTTP request, and is therefore encrypted. You
> can't decrypt the HTTP request until you know the key, and you can't
> get the (right) key until you have the Host header. So now I
> understand! Are there alternatives? Running the different virtual
> hosts on the same IP address but with different port numbers perhaps?
You can do that, yes, but it defeats the purpose of signed browser
certificates, which is cosmetic.
> I'm quite surprised that Firefox doesn't bundle any "free" CA
> certificates. I just checked and Firefox 0.9 just includes the usual
> suspects like Verisign and Thawte. I don't understand why they give
> these companies a free ride, and why a free alternative which just,
> say, verifies email addresses doesn't exist. ... Perhaps time to set
> one up!
Again, this would be largely pointless - if you don't care about the
hierarchical chain, you might as well self-sign.
The purpose of signed certificates is to convince people it's safe to
give you their credit card numbers. It doesn't increase security
particularly (i don't know of any cases of credit card numbers snooped
from networks - it's always insecure servers or clients being broken into).
I imagine there are some people who get certs because their data is
actually secret, but again they're happy with self-signing - it provides
the same level of encryption, just not the third-party assertion of
identity.
doug.
--
6973E2CF: 2C95 66AD 1596 37D2 41FC 609F 76C0 A4EC 6973 E2CF
http://adju.st/
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list