An attack on paypal

Wed Jun 11 07:56:21 PDT 2003

The worst trouble I've had with https is that you have no way to use host
header names to differentiate between sites that require different SSL
certificates.

i.e. www.foo.com www.bar.com www.baz.com can't all live on the same IP and
have individual ssl certs for https. :(  This is because the cert is
exchanged before the http 1.1 layer can say "I want www.bar.com" 

So you need to waste IP's for this.  Since the browser standards are
already in place, it's unlikely to be to find a workaround.  i.e. be able
to switch to a different virtual host after you've established the ssl
session.  :(

Personally I find thawte certs to be much cheaper than verisign and they
work just as well.

In any case, anyone is free to do the same thing AlterNIC did - become
your own free CA.  You'll just have to convince everyone else to add your
CA's cert into their browser.  You might be able to get the Mozilla guys
to do this, good luck with the beast of Redmond though.

Either way, having a pop-up isn't that big deal so long as you're sure of
the site you're connecting to.

In either case, we wouldn't need to worry about paying Verisign or anyone
else if we had properly secured DNS.  Then you could trust those pop-up
self-signed SSL cert warnings.

----------------------Kaos-Keraunos-Kybernetos---------------------------
 + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of   /|\
  \|/  :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\
<--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech.  \/|\/
  /|\  :Found to date: 0.  Cost of war: $800,000,000,000 USD.        \|/
 + v + :           The look on Sadam's face - priceless!       
--------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------

On Tue, 10 Jun 2003, James A. Donald wrote:

> The most expensive and inconvenient part of https, getting
> certificates from verisign, is fairly useless.
> 
> The useful part of https is that it has stopped password
> sniffing from networks, but the PKI part, where the server, but
> not the client, is supposedly authenticated, does not do much
> good. 