User: Password:
|
|
Subscribe / Log in / New account

Firefox security status

Firefox security status

Posted Jun 7, 2007 15:48 UTC (Thu) by erwbgy (subscriber, #4104)
In reply to: Firefox security status by ekj
Parent article: Firefox security status

Requiring updates to be served from SSL-sites has numerous drawbacks, for example it requires you to have a server on a separate IP-adress, which costs extra for many using shared hosting.

I agree that signing updates is a better approach, but it is not necessary to have a separate IP to run both an SSL and non-SSL web server on the same host, since they can (and usually do) use different ports - 80 for HTTP and 443 for HTTPS by default. Using Apache IP-based virtual hosts you can even have both in the same instance.


(Log in to post comments)

Firefox security status

Posted Jun 7, 2007 18:18 UTC (Thu) by Thalience (subscriber, #4217) [Link]

The issue is that each IP address can host only one SSL site. IP(v4) addresses are a scarce resource, and hosting providers naturally pass the costs associated with this along to their customers.

Not that this is an issue for Google, of course.

Firefox security status

Posted Jun 7, 2007 19:49 UTC (Thu) by Los__D (guest, #15263) [Link]

Not true anymore.

The problem originally was that the certificate needs to be served before the headers can be decoded.

If you use the same certificate for all sites (now possible by having them all mentioned in the certificate using subjectAltName), there's no problem.

Firefox security status

Posted Jun 8, 2007 18:11 UTC (Fri) by jengelh (subscriber, #33263) [Link]

Do it the Sourceforge way. One certificate for "sourceforge.net"/www.sourceforge.net, and one for "*.sourceforge.net" that works for all the user projects.

Firefox security status

Posted Jun 8, 2007 21:19 UTC (Fri) by Los__D (guest, #15263) [Link]

I can't see how that would work with one IP/virtual hosts?

Before knowing which certificate to show, it'll need to know the hostname, before it can get to the hostname, it needs to decrypt, before it can decrypt, it needs to show a certificate, before knowing which certificate to show, it... And so on, and so forth...

Firefox security status

Posted Jun 8, 2007 21:32 UTC (Fri) by jengelh (subscriber, #33263) [Link]

The ten or so web servers that serve the projects' pages (http://yourproject.sf.net/) all serve exactly one certificate, which certifies "*.sourceforge.net" (yes, this literal string with an asterisk, w/o quotes). Most browsers support this wildcard.
(Minus the fact that project pages are not reachable over https right now...)

Firefox security status

Posted Jun 8, 2007 21:40 UTC (Fri) by Los__D (guest, #15263) [Link]

Of course, but you'd still need a seperate IP for the www.sf.net cert(and another for www.sourceforge.net and *.sourceforge.net), if you didn't use subjectAltName

Firefox security status

Posted Jun 8, 2007 21:56 UTC (Fri) by jengelh (subscriber, #33263) [Link]

I never claimed projects.sf.net is the same as www.sf.net. You would have found out by running /usr/bin/host anyway.

Firefox security status

Posted Jun 8, 2007 22:02 UTC (Fri) by Los__D (guest, #15263) [Link]

We were discussing if one will need more than one IP for several hosts, I thought that your www.sf.net/*.sf.net suggestion was about using one IP, also for www.sf.net.

I was obviously mistaken.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds