[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Waters wrote: > You need an IP address per certificate, as the certificate is the first > thing sent down the line when an https connection is made. This is a sad > hangover from the days before name based virtual hosting, and why we > still get away with charging extra if you want hosting with its own IP > address. It's also possible to use a different port on the same IP address for different SSL-enabled sites -- the important bit is that the webserver can uniquely identify which site a client is connecting to (in order to correctly process the request) when it isn't in a position to decrypt the request itself. I can't think of any other way to achieve that without exposing some of the request details, which is what HTTPS is trying to avoid in the first place. OTOH I have a nagging doubt that exposing the Host header would be an issue, given that if an attacker knew the ip address a client was connecting to, they could generate an HTTPS request to that IP address for any old hostname and see what host the certificate was for. I need to think about that more thoroughly though -- right now I'm rather more concerned with the cold water tank leaking in my loft :( James -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html