Re: Response to HTTP2 expresions of interest

On 7/14/2012 12:52 AM, Willy Tarreau wrote:
>>> That?s just not true.  There are lots of ways to get to a particular origin
>> server, and I would think that for a malicious person in the middle, the
>> Host header would be more interesting than the ostensible IP address.  On
>> the other hand, I do understand why a payload-oblivious load balancer would
>> need to see that header.
>
> Well, TLS offers SNI which also reveals the Host header in clear text, so
> your extreme view of privacy doesn't seem to be shared as much wich even
> these guys.

Speaking not as a software developer but as former webmaster, I know 
there is a unsatisfied desire to do something like name-based virtual 
hosting with SSL, rather than dedicating an IP address per certificate.

Having something like SNI that revealed the host name up front would be 
an advantage for us, though we couldn't use it until it was widely 
adopted in browsers.

(Access for applicants, parents, alumni, etc. involves a wider range of 
web clients than our office intranets.)

-- 
     Albert Lunde  albert-lunde@northwestern.edu
                   atlunde@panix.com  (address for personal mail)

Received on Sunday, 15 July 2012 17:28:26 UTC