28 Sep
2011
28 Sep
'11
7:42 a.m.
On Tue, Sep 27, 2011 at 04:09:03PM -0700, Owen DeLong wrote:
Yes, it is realistic to expect every mom-and-pop posting a personal web site to utilize a provider that implements SNI, and the sooner they do it.
No, it isn't because it requires you to send the domain portion of the URL in clear text and it may be that you don't necessarily want to disclose even that much information about your browsing to the public.
That's what happens without SNI. Without SNI, the IP address of the server is sent in the clear; anyone who captures that traffic knows the IP address, and, without SNI, anyone who want s to translate the IP address to a domain name need only connect to the server and see what certificate is presented. -- Brett