Re: HTTPS and URL encoding

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 05/30/04

Previous message: Petr Pisar: "Re: Looking for a simple packet filter - can you help?"
In reply to: dap99_at_i-55.com: "Re: HTTPS and URL encoding"
Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: HTTPS and URL encoding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 30 May 2004 18:12:03 GMT

dap99@i-55.com said:
>On Thu, 27 May 2004 18:36:23 -0400, Barry Margolin
><barmar@alum.mit.edu> wrote:
>
>>In article <40B66A5F.F403FFB1@anta.net>, Thor Kottelin <thor@anta.net>
>>wrote:
>>> > Not if it's a virtual server -- multiple names map to the same address,
>>> > and the reverse lookup probably wouldn't produce the one that the user
>>> > used.
>>>
>>> It's not very common for HTTPS to be available on name-based virtual hosts,
>>> is it?
>>
>>Good point. Now that you remind me, I think there's a problem with
>>certificate verification, which is based on IP rather than name.
>
>I wish they would fix that.

I think I've seen some discussion about changing HTTP to provide ways to
negotiate SSL on an existing connections (like is currently possible for
SMTP and I think IMAP). So, it'd be possible to first tell the remote site
which site (name) you wish to use, and the server could choose the correct
certificate based on that.

>Yes, it would be painful and a long process, but I can still wish.
>Having to dedicate an IP for each SSL site is a real administrative
>pain. You can host multiple SSL sites on one IP using different ports,
>but users get scared when they click to https://ssl.site.com:534.

And, at some places proxies may only allow outbound CONNECT requests
to port 443. So, when proxies are used for https, the client will
forst contact the proxy, and ask the proxy to open a connection to
a given remote IP, and a given port at that IP. After that, the
proxy will be just moving packets back and forth, without the ability
to itself see what is being transferred (as the encryption is still
negotiated between the client and server machines).

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Previous message: Petr Pisar: "Re: Looking for a simple packet filter - can you help?"
In reply to: dap99_at_i-55.com: "Re: HTTPS and URL encoding"
Next in thread: david20_at_alpha2.mdx.ac.uk: "Re: HTTPS and URL encoding"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: SSL and Virtual Web Sites
... more recently created certificate works. ... >> Set up an SSL site on the default website using All Unassigned IP ... since that part of the request is encrypted). ... >>> Remember to put the port number into the URI when requesting if it's ...
(microsoft.public.inetserver.iis.security)
Re: SSL and Virtual Web Sites
... Create another website in addition to the Default ... Why are they grayed out if I can have another SSL site on a different port? ... since that part of the request is encrypted). ...
(microsoft.public.inetserver.iis.security)
IIS Questions.
... a is Outlook Web Access and works fine, b is an SSL site ... click on start I get an error message saying IIS was ... Another site may be using the port you ...
(microsoft.public.inetserver.iis)