IETF Logo Mail Archive

Re: [TLS] Server Name Indication (SNI) in an IPv6 world?

"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Wed, 27 October 2010 17:21 UTC

Return-Path: <asteingruebl@paypal-inc.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E13D3A6A2D for <tls@core3.amsl.com>; Wed, 27 Oct 2010 10:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.037
X-Spam-Level:
X-Spam-Status: No, score=-5.037 tagged_above=-999 required=5 tests=[AWL=0.080, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O5HjMDSaBioo for <tls@core3.amsl.com>; Wed, 27 Oct 2010 10:20:59 -0700 (PDT)
Received: from den-mipot-001.corp.ebay.com (den-mipot-001.corp.ebay.com [216.113.175.152]) by core3.amsl.com (Postfix) with ESMTP id B14B43A6A30 for <tls@ietf.org>; Wed, 27 Oct 2010 10:20:56 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:Date: Subject:Thread-Topic:Thread-Index:Message-ID:References: In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=E6ljXY4HI+FmpoX3uUTs/mcIjs0Nz9zfKX+1LfE6l0S/nGBew7yXDS1w iKjbYmhAljeLGAue3bIHDJOrFUUEJ33Sa3ml1DzkZbce6hOIZlsXe1xqP 5hk20oZ19eP5Chz;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal-inc.com; i=asteingruebl@paypal-inc.com; q=dns/txt; s=ppinc; t=1288200167; x=1319736167; h=from:to:date:subject:message-id:references:in-reply-to: content-transfer-encoding:mime-version; z=From:=20"Steingruebl,=20Andy"=20<asteingruebl@paypal-inc .com>|To:=20Marsh=20Ray=20<marsh@extendedsubset.com>,=20" tls@ietf.org"=20<tls@ietf.org>|Date:=20Wed,=2027=20Oct=20 2010=2011:22:44=20-0600|Subject:=20RE:=20[TLS]=20Server =20Name=20Indication=20(SNI)=20in=20an=20IPv6=20world? |Message-ID:=20<5EE049BA3C6538409BBE6F1760F328ABEB01DE12C C@DEN-MEXMS-001.corp.ebay.com>|References:=20<4CC765D6.60 20704@KingsMountain.com>=0D=0A=09<1288145780.6053.50.came l@mattlaptop2.local>=0D=0A=09<1288147744.6053.51.camel@ma ttlaptop2.local>=0D=0A=09<5EE049BA3C6538409BBE6F1760F328A BEB01DE11FE@DEN-MEXMS-001.corp.ebay.com>=0D=0A=20<4CC85F0 B.2070901@extendedsubset.com>|In-Reply-To:=20<4CC85F0B.20 70901@extendedsubset.com>|Content-Transfer-Encoding:=20qu oted-printable|MIME-Version:=201.0; bh=E0URshBFw2fHAN/ciY/zztgfbSY3oTAHLcvBN9594ps=; b=praqh87QYm4hjS6e/U9Bb6dbtKU3J4NJeaVkdPt9/L1IadTTuKT6Mi73 3MF3aJF38/3ZatlIh/qlpBjoasxhVAl6ZMWS+DGWzmuGT/sWhyRtTMoum HI2yHLJ/FjelxnX;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.58,247,1286175600"; d="scan'208";a="72734093"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-MEXHT-001.corp.ebay.com) ([10.101.112.213]) by den-mipot-001.corp.ebay.com with ESMTP; 27 Oct 2010 10:22:46 -0700
Received: from DEN-MEXMS-001.corp.ebay.com ([10.241.16.225]) by DEN-MEXHT-001.corp.ebay.com ([10.241.17.52]) with mapi; Wed, 27 Oct 2010 11:22:45 -0600
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Marsh Ray <marsh@extendedsubset.com>, "tls@ietf.org" <tls@ietf.org>
Date: Wed, 27 Oct 2010 11:22:44 -0600
Thread-Topic: [TLS] Server Name Indication (SNI) in an IPv6 world?
Thread-Index: Act1+yF5gZ5mD8wDRLeMbpFnQVWCAAAADaFA
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEB01DE12CC@DEN-MEXMS-001.corp.ebay.com>
References: <4CC765D6.6020704@KingsMountain.com> <1288145780.6053.50.camel@mattlaptop2.local> <1288147744.6053.51.camel@mattlaptop2.local> <5EE049BA3C6538409BBE6F1760F328ABEB01DE11FE@DEN-MEXMS-001.corp.ebay.com> <4CC85F0B.2070901@extendedsubset.com>
In-Reply-To: <4CC85F0B.2070901@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: WTtsZV2HJZf2iVwl7EJlsA==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 17:21:03 -0000

> -----Original Message-----
> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of
> Marsh Ray
> >
> > On non-SSL hosts this gets a lot of play as web servers that don't pay
> > attention to Host headers can become victims of DNS rebinding attacks.
> 
> What?! If clients are willing to make non-SSL connections and are also subject
> to DNS rebinding, then Host headers are the least of your problems.

Sorry, my point is that preventing DNS rebinding relies on client security in many ways, but to make it happen a server also has to serve content for hostnames it doesn't really serve content for.  With TLS this is hard(er) to make happen because of certificate warnings.  For non-TLS, there aren't any indicators.  Servers should be configured to only serve data for their hostnames.  Or, so I'd argue.

- Andy

v2.23.0 | Report a Bug | By Email