Re: Stopping loss of transparency...
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Stopping loss of transparency...

Nicholas Staff wrote: 
On 17-aug-2005, at 15:34, Marc Manthey wrote:

Just to be sure: what were talking about is that when a customer gets up in the morning and connects to www.ietf.org they get www.advertising-down-your-throat.de instead, right?

yes , thats exactly what it does , they call it "Portal-Guided Entrance" on port :80 and 443.

Does this work on port 443? I would assume the SSL security checks wouldn't accept this. 

I believe the FQDN is not encrypted, though the part of the url after the
FQDN is (so one could redirect based on https:// and/or specific FQDN's
(whether http or https).


That's beside the point. According to RFC 2818 section 3.1, where a hostname
is given in an https: URL, the client MUST check this hostname against the
name in the server's certificate. This check will fail if the connection is
redirected to a non-transparent proxy (assuming that the web browser is
complying to RFC 2818, no CA in the browser's trusted CA list has been
compromised, and the crypto is not broken).

--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf



Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.