Once upon a time, Owen DeLong <owen@delong.com> said:
No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public.
If you don't want even the site you are browsing public, HTTPS is not the solution. Without SNI, HTTPS is one-site-per-IP (nobody uses the subjectAltName to host multiple different sites on the same IP in practice), so all somebody has to do it fetch the certificate from the same IP/port and look at the CN/subjectAltName. Either that's the site you went to, or you accepted the host/cert mismatch (and are a target for spoofing). -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.