[LINK] Filter to cause World Wide Wait

matthew at sorbs.net matthew at sorbs.net
Fri Oct 31 11:36:55 EST 2008



----- Original Message -----
From: Kim Holburn <kim.holburn at gmail.com>
Date: Friday, October 31, 2008 5:41 am
Subject: Re: [LINK] Filter to cause World Wide Wait
> One of the issues about filtering for https is that up until 
> recently  
> https had to start with a unique IP address for each https server.


Sort of yes, sort of no....

You can run many SSL servers on the same IP, however when the session is
establishing, the browser will check the presented signing certificate
to see whether:

1/ It is signed by a known signer.
2/ It is revoked.
3/ It is ACLd locally to be accepted or denied in the local cert store
(useful for allowing self signed certificates for example).

now the important one..

4/ The Common Name (CN) of the certificate matches the requested
hostname or is a suitable wildcard.

(4) is the only reason why you get the supposed restriction of 1 https
server per IP, however consider a university, they might have for example:

www.uq.edu.au
mail.uq.edu.au
imap.uq.edu.au
pop.uq.edu.au
student.uq.edu.au
lists.uq.edu.au
www.medical.uq.edu.au
www.eng.uq.edu.au
www.its.uq.edu.au

and the list goes on....

now if you have a CMS/LD/F5's or other load balancing/director/proxy
hardware at the front to provide only one IP address (or range) into the
whole site, you can install a public certificate with the CN of
*.uq.edu.au and all the sites will work of the same address/addresses.

Of course that doesn't help an ISP with virtual customers from multiple
top level domains or even multiple domains in the same top level...  No
certificate signer will give you *.com or * in the CN. ;-)

> I believe there is a new protocol similar to TLS that allows an 
> https  session to start unencrypted and then turn on encryption.  It 
> still, as I understand it, would not allow man in the middle attacks but 
> it might allow filtering and outright blocking of https sites by 
> domain name.  It's not clear to me that browsers are implementing it yet  
> though.

Yes, when a connection is made it makes the usual request for the Host:
parameter and issues a STARTTLS command, this allows the correct
certificate to be presented to the browser.  I have not looked at the
protocol specs, so I don't know how it is implemented, but I have to ask
are there any servers supporting it?


Best,

Michelle


More information about the Link mailing list