[Noisebridge-discuss] noisebridge.net SSL cert
Jacob Appelbaum
jacob at appelbaum.net
Wed Feb 3 20:23:37 UTC 2010
Brian Ferrell wrote:
>> Can you give an example of a URL that is not handled by the current
>> rewrite setup? AFAICS every URL with "//noisebridge.net" in it already
>> gets 302'd over to "https://www.noisebridge.net".
>>
>> -andy
>>
>
> https://noisebridge.net/wiki/Noisebridge
It is absolutely worthless to encourage people to accept certificates
that are not valid for a given host name. SSL/TLS are already mostly
worthless - lets not take away the last few things of value.
http://noisebridge.net/wiki/Noisebridge will properly redirect while
https://noisebridge.net/wiki/Noisebridge cannot and should not redirect.
You can not (that I know of) cause a redirect in the SSL/TLS handshake.
A browser (firefox, others) will fail to get to any HTTP 302 without
accepting an invalid certificate. There is a TLS name extension but this
isn't a redirect and requires a different certificate anyway. I don't
think we should encourage people by adding a redirect for an incorrect
hostname, it's not safe.
If you're starting off by speaking 443 and you care a great deal, you
should pick your host name correctly.
If you're using port 80, you can be high-jacked and redirected. Sadly,
an attacker can do this too. You can't bootstrap HTTPS security with the
hodgepodge of HTTP insecurity.
The set of HTTP redirects is largely a convenience for people who are
too lazy to type a full URL starting with https://.
Best,
Jake
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100203/d7cf954f/attachment-0003.sig>
More information about the Noisebridge-discuss
mailing list