Wasn’t sure if this was really on-topic, mainly wanted to see what lobsters think about the idea of Google & Amazon voluntarily doing this, particularly given Google’s reported China search plans.
I feel it’s inevitable that somebody breaks some service’s security using SNI/Host confusion. I’m not sure what the attack looks like, but I know it has to happen. :) Something like cache poisoning maybe. https://portswigger.net/blog/practical-web-cache-poisoning
I run an SSL termination endpoint with multiple domains on it. I would not, in a terms of service sense, permit one of those domains to domain front by setting the SNI field to another domain I was incidentally also hosting. I do however have a domain that does nothing but handle SSL/TLS requests when there is no SNI field. It allows my endpoint to gracefully degrade in to an error message that can be delivered via https. Typically this would only happen with old and deprecated SSL software and connections, but I wouldn’t be bothered by a domain owner using this already dedicated domain in their SNI field if they wanted to.
I’m a long way from having the problems or concerns highlighted in this article, but you did ask what folk thought.
Wasn’t sure if this was really on-topic, mainly wanted to see what lobsters think about the idea of Google & Amazon voluntarily doing this, particularly given Google’s reported China search plans.
I feel it’s inevitable that somebody breaks some service’s security using SNI/Host confusion. I’m not sure what the attack looks like, but I know it has to happen. :) Something like cache poisoning maybe. https://portswigger.net/blog/practical-web-cache-poisoning
I run an SSL termination endpoint with multiple domains on it. I would not, in a terms of service sense, permit one of those domains to domain front by setting the SNI field to another domain I was incidentally also hosting. I do however have a domain that does nothing but handle SSL/TLS requests when there is no SNI field. It allows my endpoint to gracefully degrade in to an error message that can be delivered via https. Typically this would only happen with old and deprecated SSL software and connections, but I wouldn’t be bothered by a domain owner using this already dedicated domain in their SNI field if they wanted to.
I’m a long way from having the problems or concerns highlighted in this article, but you did ask what folk thought.
Makes sense. Thanks :-)