Gathering session cookies with Firesheep

Posted Nov 4, 2010 16:33 UTC (Thu) by quotemstr (subscriber, #45331)
In reply to: Gathering session cookies with Firesheep by robert_s
Parent article: Gathering session cookies with Firesheep

How about not being able to use virtualhosts with HTTPS? A huge number (the vast majority I would say) of sites on the web use virtualhosts. I wonder how quickly IPv4 would be exhausted if we all started using HTTPS and needed individual IPs for our websites.

Server Name Indication.

On top of that, once we start using HTTPS, most of our lovely tiered caching mechanisms become unusable. All requests will have to be served fully.

Clients cache requests served over SSL just fine. Gateway machines can translate SSL traffic into something before sending it to a reverse proxy or load-balancing it. CDNs also support SSL these days.

You are jumping through intellectual hoops to justify your hostility toward SSL. A modicum of research would have uncovered these solutions. Continuing to risk user privacy merely to save a few CPU cycles is just unacceptable. Network hardware never gets tired. CPU cycles are cheap. Real people have actual sensitive information crucial to their physical and emotional well-being. I can't believe people prefer the former to the latter.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:12 UTC (Thu) by dlang (guest, #313) [Link] (8 responses)

TLS also supports multiple name-based virtual hosts with SSL

the problem is that the browsers don't all support this, so unless you are willing to reject everyone with a bad browser, this doesn't matter.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:14 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (7 responses)

Rejecting IE6 has to happen sooner or later. The other major browsers support SNI.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:22 UTC (Thu) by dlang (guest, #313) [Link] (5 responses)

what about the minor browsers? (and remember to include all the browsers on phones and mobile devices)

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:26 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (4 responses)

iOS4 and Android also support SNI. Even elinks supports it these days.

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:27 UTC (Thu) by dlang (guest, #313) [Link] (3 responses)

iOS and Android are both pretty new platforms

Gathering session cookies with Firesheep

Posted Nov 4, 2010 19:30 UTC (Thu) by quotemstr (subscriber, #45331) [Link] (2 responses)

They're also widely-used; many features don't work with ancient browsers anyway.

Are you really arguing that supporting a handful of users with ancient browsers is worth sacrificing everyone's privacy?

Gathering session cookies with Firesheep

Posted Nov 4, 2010 23:50 UTC (Thu) by nteon (subscriber, #53899) [Link] (1 responses)

according to Wikipedia, no IE on WinXP has SNI support. Thats unfortunately a large chunk of the general, internet browsing public.

Gathering session cookies with Firesheep

Posted Nov 9, 2010 14:36 UTC (Tue) by holstein (guest, #6122) [Link]

Well, that could be (another) incentive to move on to something better.

And Linux runs ususally very well on these ancient machines ;)

Gathering session cookies with Firesheep

Posted Nov 5, 2010 9:03 UTC (Fri) by ekj (guest, #1524) [Link]

Everyone who is on XP and using IE (any version!) lives without SNI. As far as I know (it's been a while since I've used it, so possibly, this has been fixed) IIS also fails to support SNI.

A solution which is unavailable on ~25% of all webservers, and which fail to work for ~10% of all users, is not currently viable.

It seems likely this problem will go away in the future. But at the moment, it's a real problem. 5 years from now, I expect SNI will be pretty universally supported. It'll allow shared-ip-webhosts to offer https afterall, and that's a pretty major progress.