nanog mailing list archives
Re: Nxdomain redirect revenue
From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 27 Sep 2011 17:08:42 -0500
On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow <morrowc.lists () gmail com> wrote:
how does tls/https help here? if you get sent to the 'wrong host' whether or not it does https/tls is irrelevant, no? (save the case of chrome and domain pinning)
Because the operator of the "wrong host" cannot obtain a SSL certificate for the right host's domain from a legitimate CA. When the user types in '[therightdomain].com' and their browser immediately sends them to https://therightdomain.com the HTTPS request will fail and show the user an error message if the site is the wrong one, instead of allowing the wrong server to produce a response. To be clear, I am suggesting HTTPS should be the default, all servers should support it, and once a browser learns that a site supports HTTPS, it should maintain a memory of that fact in a hash table, and refuse to access the site over HTTP unless specifically requested (in order to prevent downgrade attacks) and refuse to try HTTP first when a new domain is entered. The http:// schema should be removed/deprecated, and replaced with insecurehttp:// And plain HTTP only used first if the user types that. That is, HTTPs should become assumed. Regards, -- -JH
Current thread:
- Re: Nxdomain redirect revenue, (continued)
- Re: Nxdomain redirect revenue Cameron Byrne (Sep 26)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 26)
- Re: Nxdomain redirect revenue Valdis . Kletnieks (Sep 26)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 26)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 26)
- Re: Nxdomain redirect revenue Cameron Byrne (Sep 26)
- Re: Nxdomain redirect revenue Jimmy Hess (Sep 27)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 27)
- Re: Nxdomain redirect revenue Valdis . Kletnieks (Sep 27)
- Re: Nxdomain redirect revenue Christopher Morrow (Sep 27)