LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Gathering session cookies with Firesheep

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:12 UTC (Thu) by dlang (✭ supporter ✭, #313)
In reply to: Gathering session cookies with Firesheep by quotemstr
Parent article: Gathering session cookies with Firesheep

TLS also supports multiple name-based virtual hosts with SSL

the problem is that the browsers don't all support this, so unless you are willing to reject everyone with a bad browser, this doesn't matter.

(Log in to post comments)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:14 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

Rejecting IE6 has to happen sooner or later. The other major browsers support SNI.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:22 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

what about the minor browsers? (and remember to include all the browsers on phones and mobile devices)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:26 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

iOS4 and Android also support SNI. Even elinks supports it these days.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:27 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

iOS and Android are both pretty new platforms

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:30 UTC (Thu) by quotemstr (subscriber, #45331) [Link]

They're also widely-used; many features don't work with ancient browsers anyway.

Are you really arguing that supporting a handful of users with ancient browsers is worth sacrificing everyone's privacy?

Gathering session cookies with Firesheep

Posted Nov 4, 2010 23:50 UTC (Thu) by nteon (subscriber, #53899) [Link]

according to Wikipedia, no IE on WinXP has SNI support. Thats unfortunately a large chunk of the general, internet browsing public.

Gathering session cookies with Firesheep

Posted Nov 9, 2010 14:36 UTC (Tue) by holstein (subscriber, #6122) [Link]

Well, that could be (another) incentive to move on to something better.

And Linux runs ususally very well on these ancient machines ;)

Gathering session cookies with Firesheep

Posted Nov 5, 2010 9:03 UTC (Fri) by ekj (guest, #1524) [Link]

Everyone who is on XP and using IE (any version!) lives without SNI. As far as I know (it's been a while since I've used it, so possibly, this has been fixed) IIS also fails to support SNI.

A solution which is unavailable on ~25% of all webservers, and which fail to work for ~10% of all users, is not currently viable.

It seems likely this problem will go away in the future. But at the moment, it's a real problem. 5 years from now, I expect SNI will be pretty universally supported. It'll allow shared-ip-webhosts to offer https afterall, and that's a pretty major progress.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds