- From: Albert Lunde <atlunde@panix.com>
- Date: Sun, 15 Jul 2012 12:27:57 -0500
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
On 7/14/2012 12:52 AM, Willy Tarreau wrote:
>>> That?s just not true. There are lots of ways to get to a particular origin
>> server, and I would think that for a malicious person in the middle, the
>> Host header would be more interesting than the ostensible IP address. On
>> the other hand, I do understand why a payload-oblivious load balancer would
>> need to see that header.
>
> Well, TLS offers SNI which also reveals the Host header in clear text, so
> your extreme view of privacy doesn't seem to be shared as much wich even
> these guys.
Speaking not as a software developer but as former webmaster, I know
there is a unsatisfied desire to do something like name-based virtual
hosting with SSL, rather than dedicating an IP address per certificate.
Having something like SNI that revealed the host name up front would be
an advantage for us, though we couldn't use it until it was widely
adopted in browsers.
(Access for applicants, parents, alumni, etc. involves a wider range of
web clients than our office intranets.)
--
Albert Lunde albert-lunde@northwestern.edu
atlunde@panix.com (address for personal mail)
Received on Sunday, 15 July 2012 17:28:26 UTC