W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: HTTbis spec size, was: Rechartering HTTPbis

From: Thomas Fossati <tho@koanlogic.com>
Date: Sat, 28 Jan 2012 16:32:24 +0100
Cc: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <10483CE3-AA15-4C77-8A97-AB45C13030A3@koanlogic.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
On Jan 28, 2012, at 3:09 PM, Poul-Henning Kamp wrote:
> That question really boils down to if the Host: header is privacy
> protected or not.  This becomes a particularly intricate dance once
> anonymising proxies are involved.
> 
> If Host: should have privacy, then HTTPS, as we know it, where the
> entire TCP connection is encrypted, is the answer.
> 
> If Host: should not have privacy, in order to allow traffic directors,
> load-balancers and similar to dispatch secure traffic without terminating
> the crypto-session, then a payload-only SSL scheme would be preferable.
> 
> I'm in no position to make a call on this.

Keep in mind that when using TLS on most widespread UAs (i.e. Safari, Chrome, Opera, IE, curl) the server host name is in any case made available in cleartext through SNI in the handshake.
I fear that to avoid that, some change to the TLS spec would be required.
Received on Saturday, 28 January 2012 15:33:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:53 GMT