Re: The ability to automatically upgrade a reference to HTTPS from HTTP

On 2014-08 -23, at 20:32, Michael Brunnbauer <brunni@netestate.de> wrote:

> 
> Hello Tim,
> 
>> I'm not sure I understand your argument.
>> That's fine if they have the same content for http and https
> 
> [...]
> 
> So if an administrator has 10 HTTP/1.1 sites on the same IP and wants
> to add a https version of one of those sites, what does he do? Will he
> create a SSL version for every site in the configuration although all but
> one of them will be useless and lead to a certificate error? Of course not.

You are referring I think to the problem with HTTPS virtual hosting in general. With SSL and X.509 as originally designed, virtual hosting does not work. That is a general problem with HTTPS.  There are many reasons you can point to why using HTTPS is a pain.  But that is a separate issue.

(See e.g. http://www.crsr.net/Notes/Apache-HTTPS-virtual-host.html and
https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple )-ssl-certificates-on-one-ip-with-apache-on-ubuntu-12-04   https://en.wikipedia.org/wiki/Server_Name_Indication  etc)

I wonder what stage SNI adoption is at.

You suggest that if clients try to just add a 's' to an existing URL, that because of the HTTPS virtual hosting problem, they will often find a random HTTPS server from another domain answering in fact, with untrusted cert, where the server admin has had no simple option but to configure it that way.
Now I understand your point I think.

Tim

Received on Sunday, 24 August 2014 03:01:31 UTC