On Fri, Jun 02, 2017 at 01:16:01PM +0300, Richard Barnes wrote: > Operators trying to do this by inspecting TLS (and not decrypting) are > going to have a bad time anyway. With HTTP/2 connection coalescing, even > if they can see the certificate, the actual HTTP request could be for any > name in the certificate. So there's nothing really gained by exposing the > certificate.
If a web service hoster does not provide any useful demultiplexer then it can of course not expect not to get blacklisted across services. Is it not already common practice to assign separate certificates to separate "web customers" ? --Toerless > --Richard > > > > > As soon as the IP address used to host a web-service runs > > multiple web-services (domain-names), this is today done by inspecting the > > TLS 1.2 server certificate > > or SNI. > > > > Web hosters whose services do share IP addresses across domain name should > > be very interested to > > ensure such inspection works, because else a single misbehaving > > web-service they host will easily > > cause all their web-services to be blacklisted by any of the varied > > organizations that create > > blacklists: because blacklisting can then only be applied on a per-IP > > address. > > > > Of course, IPv6 could make this need somewhat obsolete because there > > should be no reason to > > share IPv6 addresses across domain-names, but i am not aware what todays > > common practice are with IPv6 > > in this respect. > > > > Cheers > > Toerless > > > > On Thu, Jun 01, 2017 at 04:38:46PM +0200, Benoit Claise wrote: > > > Dear all, > > > > > > You should be aware that the TLS list is debating encrypting SNI so > > > that the host name cannot be seen from TLS sessions. > > > https://www.ietf.org/mail-archive/web/tls/current/msg23251.htm > > > > > > If you're aware of valid (valid in the IETF-sense) operational > > > practices that require the host name visible, we should enter the > > > debate. > > > > > > Regards, Benoit > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > -- --- t...@cs.fau.de _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
