[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Nxdomain redirect revenue
On Tue, Sep 27, 2011 at 8:27 AM, Christopher Morrow
<morrowc.lists at gmail.com> wrote:
> how does tls/https help here? if you get sent to the 'wrong host'
> whether or not it does https/tls is irrelevant, no? (save the case of
> chrome and domain pinning)
Because the operator of the "wrong host" cannot obtain a SSL certificate for
the right host's domain from a legitimate CA.
When the user types in '[therightdomain].com'
and their browser immediately sends them to https://therightdomain.com
the HTTPS request will fail and show the user an error message if the
site is the wrong one,
instead of allowing the wrong server to produce a response.
To be clear, I am suggesting HTTPS should be the default, all servers
should support it,
and once a browser learns that a site supports HTTPS, it should
maintain a memory of that
fact in a hash table, and refuse to access the site over HTTP unless
specifically requested
(in order to prevent downgrade attacks) and refuse to try HTTP first
when a new domain is entered.
The http:// schema should be removed/deprecated, and replaced with
insecurehttp://
And plain HTTP only used first if the user types that.
That is, HTTPs should become assumed.
Regards,
--
-JH