Hacker News new | past | comments | ask | show | jobs | submit login

No, they fixed that. The hostname is sent before the cert is chosen.



No it isn't fixed for all devices. Windows XP is one example and even though it is no longer supported by Microsoft, at least 17% of devices on the internet are still using it.


That's not a problem with XP, that's a problem with people that use obsolete versions of IE.

Note that the subject here is talking about what to do in future browser versions, so IE8 never comes into the picture.


Meaning the hostname is also sent in cleartext (which may be problematic for some use cases).

This is the wrong level to be talking about this anyways. IPSec is the "right" thing to do, but that ship sailed I guess.


Problematic in what cases? You could always get hostname from the IP before.


You can get a PTR from an IP address, but that's not the same as "the hostname the client requested". If virtuous_activities.com and shameful_fetishes.com both resolve to the same IP address (assuming some application protocol like HTTP that can distinguish by hostname) I could certainly imagine a situation where a client would want to keep the particular hostname requested secret.

(Obviously the attacker in this case would probably also be able to sniff the requests from the resolver, but still; I'm not making this complaint up or anything, a lot of people have mentioned it before.)


No, that's not what I'm saying.

My point is that hostname has always been leaked with HTTP and HTTPS. SNI does not leak any new information.


When is hostname sent plaintext in non-SNI HTTPS? (The resolver, I suppose, but that is a separate issue.)


The certificate is sent before encryption is established.

But that's a red herring. Even if it was all kept encrypted, even if you ignored DNS and reverse DNS, you could connect to the IP yourself.

Yeah, technically there might be more than one hostname, but they're all related hostnames.


but they're all related hostnames

Huh? I used to have ~100 hosting clients per IP address, none of whom were in any way related to each other (other than in having chosen me as a hosting provider).


That's not the common case, though, and is completely awful to use as an anonymity measure.


Actually I think it's quite common, it applies to any site not busy enough to justify a dedicated server. By the long tail principle that will be the majority of sites on the internet.


Oh, I should be clear, I'm specifically talking about sites sharing a certificate. I know a lot of sites use shared hosting, but it's awkward to get a certificate for a pile of unconnected sites. Most of them will either not support HTTPS or require paying a couple dollars for an IP. (Or, these days, try to rely on SNI.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: