Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
Marsh Ray <marsh@extendedsubset.com> Wed, 27 October 2010 20:46 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9E98D3A63EC for <tls@core3.amsl.com>; Wed, 27 Oct 2010 13:46:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[AWL=0.497, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9bdQW52gyWYw for <tls@core3.amsl.com>; Wed, 27 Oct 2010 13:46:34 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id A72303A63C9 for <tls@ietf.org>; Wed, 27 Oct 2010 13:46:34 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PBCv2-000MBK-UD; Wed, 27 Oct 2010 20:48:25 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 751816337; Wed, 27 Oct 2010 20:48:22 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX196QxtRv40RDRQyyr2qpxm3X9wywXZCgqs=
Message-ID: <4CC89018.1070100@extendedsubset.com>
Date: Wed, 27 Oct 2010 15:48:24 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.14) Gecko/20101006 Thunderbird/3.0.9
MIME-Version: 1.0
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
References: <4CC765D6.6020704@KingsMountain.com> <1288145780.6053.50.camel@mattlaptop2.local> <1288147744.6053.51.camel@mattlaptop2.local> <5EE049BA3C6538409BBE6F1760F328ABEB01DE11FE@DEN-MEXMS-001.corp.ebay.com> <4CC85F0B.2070901@extendedsubset.com> <5EE049BA3C6538409BBE6F1760F328ABEB01DE12CC@DEN-MEXMS-001.corp.ebay.com>
In-Reply-To: <5EE049BA3C6538409BBE6F1760F328ABEB01DE12CC@DEN-MEXMS-001.corp.ebay.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Server Name Indication (SNI) in an IPv6 world?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 20:46:35 -0000
On 10/27/2010 12:22 PM, Steingruebl, Andy wrote: >> What?! If clients are willing to make non-SSL connections and are >> also subject to DNS rebinding, then Host headers are the least of >> your problems. > > Sorry, my point is that preventing DNS rebinding relies on client > security in many ways, but to make it happen a server also has to > serve content for hostnames it doesn't really serve content for. > With TLS this is hard(er) to make happen because of certificate > warnings. For non-TLS, there aren't any indicators. Servers should > be configured to only serve data for their hostnames. Or, so I'd > argue. Ah that makes sense, I was not fully getting your meaning. Still, who's to say that the thing that gets the incoming connection at the re-bound DNS name will necessarily even be an HTTP server? I know browsers are increasingly blacklisting known ports, to try to mitigate this sort of thing. It could be mildly discomforting to see an invalid host header printed on the address label of an item returned by the postal service after installing that high-speed check printer/stuffer/mailer! - Marsh
- [TLS] Server Name Indication (SNI) in an IPv6 wor… =JeffH
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Simon Josefsson
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Matt McCutchen
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Matt McCutchen
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Steingruebl, Andy
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Marsh Ray
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Steingruebl, Andy
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Marsh Ray
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Michael D'Errico
- [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Steven Bellovin
- Re: [TLS] Server Name Indication (SNI) in an IPv6… aerowolf
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Connection diversion to other subdomains Martin Rex
- Re: [TLS] Server Name Indication (SNI) in an IPv6… Dean Anderson
- Re: [TLS] Connection diversion to other subdomains Florian Weimer
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Florian Weimer
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Joe Orton
- Re: [TLS] Connection diversion to other subdomains Marsh Ray
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen