Re: Nxdomain redirect revenue

[Chris Adams <cmadams () hiwaay net>]

Once upon a time, Owen DeLong <owen () delong com> said:
> No, it isn't because it requires you to send the domain portion of the URL
> in clear text and it may be that you don't necessarily want to disclose even
> that much information about your browsing to the public.

If you don't want even the site you are browsing public, HTTPS is not
the solution.  Without SNI, HTTPS is one-site-per-IP (nobody uses the
subjectAltName to host multiple different sites on the same IP in
practice), so all somebody has to do it fetch the certificate from the
same IP/port and look at the CN/subjectAltName.  Either that's the site
you went to, or you accepted the host/cert mismatch (and are a target
for spoofing).

-- 
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.