On Sep 27, 2011, at 4:55 PM, Jimmy Hess wrote:
On Tue, Sep 27, 2011 at 6:09 PM, Owen DeLong <owen@delong.com> wrote:
On Sep 27, 2011, at 3:46 PM, Jimmy Hess wrote:
No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public.
That's OK. You're kind of mincing security objectives here. In regards to preventing tactics such as domain hijacking bt service providers, the goal behind this would be integrity, not confidentiality.
The objective of using SSL is not to strongly encrypt data to keep it secret, it's to apply whatever is necessary to provide a level of integrity assurance.
The SSL cipher can almost be the null cipher, for all it matters, but at least RC4 56-bit or so would be needed, because the null cipher doesn't have message digests in TLS.
-- -JH
As has been pointed out... SSL certs do almost nothing for integrity. Owen