- From: Thomas Fossati <tho@koanlogic.com>
- Date: Sat, 28 Jan 2012 16:32:24 +0100
- To: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Cc: Willy Tarreau <w@1wt.eu>, Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Jan 28, 2012, at 3:09 PM, Poul-Henning Kamp wrote: > That question really boils down to if the Host: header is privacy > protected or not. This becomes a particularly intricate dance once > anonymising proxies are involved. > > If Host: should have privacy, then HTTPS, as we know it, where the > entire TCP connection is encrypted, is the answer. > > If Host: should not have privacy, in order to allow traffic directors, > load-balancers and similar to dispatch secure traffic without terminating > the crypto-session, then a payload-only SSL scheme would be preferable. > > I'm in no position to make a call on this. Keep in mind that when using TLS on most widespread UAs (i.e. Safari, Chrome, Opera, IE, curl) the server host name is in any case made available in cleartext through SNI in the handshake. I fear that to avoid that, some change to the TLS spec would be required.
Received on Saturday, 28 January 2012 15:33:53 UTC