Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I notice that chromium.org does not require SNI.

SNI was created so that multiple SSL-enabled websites could share the same IP address. (Perhaps because IP addresses are an undue expense for some website owners, unlike, say, chromium.org.)

Assuming the the single IP address is not "anycasted" (another undue expense), does SNI imply that multiple websites1 are in some way sharing a common computer?

Could that be relevant with respect to "site isolation" in any way? Why or why not? (For example, does the server side, perhaps with multiple "tenants" sharing the same hardware, pose a risk to the client concerned about undesirable memory access?)

1 Presumably those websites are handling sensitive information hence the need for SSL.



SNI usually implies that TLS is being terminated for multiple domains on a single computer, but the process actually rendering the HTML (in this case I guess it is Google Sites) may be running on a different computer entirely. It's difficult to infer too much from use of SNI: on the modern internet it often just means the site is behind some kind of CDN which doesn't bother to provision new IP addresses for each site.

In any case, the Site Isolation feature described here is a browser feature, unrelated to how the sites are hosted. Site Isolation provides additional isolation between different websites loaded in a user's web browser in order to limit the scope of some potential exploits: for example, to make it more difficult for malicious code hosted on example.org to access your gmail.com credentials.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: