|
| From: | David Woolley |
| Subject: | Re: [Lynx-dev] SNI is a security vulnerability all by itself (was Re: bug in Lynx' SSL certificate validation -> leaks password in clear text via SNI (under some circumstances)) |
| Date: | Sat, 7 Aug 2021 12:00:33 +0100 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 |
On 07/08/2021 03:50, Thorsten Glaser wrote:
(Considering SNI also leaks the vhost addressed by the end user, which is otherwise hidden with wildcard certificates or grouped with tone others in multi-subjectAltName certificates, it ought to have been anyway.)
Actually I consider certificates that authenticate anything except the specific web site to be a security liability in themselves. Whilst I'd never heard of SNI, and am only going on the description here, assuming that sending the login details is a bug in Lynx, and not in the SNI specification, it seems to me that they must have been introduced to bring back the proper authentication that was broken by virtual hosting.
Virtual hosts were never introduced to defeat traffic flow analysis. They are there for commercial reasons.
I'd also suspect that the sorts of sites people might not want to be associated with are either clustered on the same physical server, or mixed in with low volume sites, and an analysis of other traffic flow parameters could make a good stab at establishing when they are being accessed.
| [Prev in Thread] | Current Thread | [Next in Thread] |