Board upgrade 1800-1900hrs 07/02/2008
Re: Board upgrade 1800-1900hrs 07/02/2008
I was only joking about Tut's posts, btw
http://www.rathmhor.com | Coaching, training, consultancy
Re: Board upgrade 1800-1900hrs 07/02/2008
They fill in the blank periods Campbell, i.e. weekends when you lot are not working, which is where you make most of your posts from.
tut
tut
Re: Board upgrade 1800-1900hrs 07/02/2008
Good point can we get a user posting analysis module?tut wrote:They fill in the blank periods Campbell, i.e. weekends when you lot are not working, which is where you make most of your posts from.
tut
W213 All Terrain
Re: Board upgrade 1800-1900hrs 07/02/2008
Too busy running after my young family at weekends!tut wrote:They fill in the blank periods Campbell, i.e. weekends when you lot are not working, which is where you make most of your posts from.
tut
http://www.rathmhor.com | Coaching, training, consultancy
Re: Board upgrade 1800-1900hrs 07/02/2008
We may eventually run into problems using plain HTTP - there are moves in the browser world to treat non-SSL sites with suspicion - ranging from an unhappy icon in the address bar to popping up dire warnings about your computer's chances of survival if you proceed to connect.
Of course it's all security theatre. There is not a single shared point of trust on the internet; it's only a matter of time before it comes to light that the people hosting the so called trusted root certification authorities are just as weak as Sony ...
Anyway, I have no desire to switch to SSL but it's worth thinking about because one day we may have to do it.
Graeme - you can have more than one certificate per IP address; it's pretty obvious if you think about it - the certificate is tied to the IP but the IP is not tied to the certificate. Edited to add that of course your s/w has to support this - but SNI should make that possible.
Cheers,
Robin
Of course it's all security theatre. There is not a single shared point of trust on the internet; it's only a matter of time before it comes to light that the people hosting the so called trusted root certification authorities are just as weak as Sony ...
Anyway, I have no desire to switch to SSL but it's worth thinking about because one day we may have to do it.
Graeme - you can have more than one certificate per IP address; it's pretty obvious if you think about it - the certificate is tied to the IP but the IP is not tied to the certificate. Edited to add that of course your s/w has to support this - but SNI should make that possible.
Cheers,
Robin
I is in your loomz nibblin ur wirez
#bemoretut
#bemoretut
Re: Board upgrade 1800-1900hrs 07/02/2008
The problem is, without SNI, that the server doesn't know which SSL certificate to present because the web browser doesn't say which site it's requesting until after the certificate has been presented.
You can solve this without consuming IP addresses by running different sites on different ports, but nobody wants to have to use something like https://www.scottishelises.com:8443/, or by having a single certificate that is valid for multiple domain names (wildcards, SANs) which are quite expensive compared with single domain certificates.
SNI solves this by having the web browser say which site it's requesting earlier so the server can present the correct certificate but, as Robin says, SNI support isn't everywhere yet.
You could also solve this with IPv6 where address shortage isn't a problem but that's not everywhere yet either.
You can solve this without consuming IP addresses by running different sites on different ports, but nobody wants to have to use something like https://www.scottishelises.com:8443/, or by having a single certificate that is valid for multiple domain names (wildcards, SANs) which are quite expensive compared with single domain certificates.
SNI solves this by having the web browser say which site it's requesting earlier so the server can present the correct certificate but, as Robin says, SNI support isn't everywhere yet.
You could also solve this with IPv6 where address shortage isn't a problem but that's not everywhere yet either.
Re: Board upgrade 1800-1900hrs 07/02/2008
Well, Mr Condescending... I know the default is to assume I don't know what I'm talking about, but sometimes, just sometimes, I do.robin wrote: Graeme - you can have more than one certificate per IP address; it's pretty obvious if you think about it
Even if SANs were free, they're not the answer for shared hosting, as alternative names are visible for all to see on the cert.
211
958
958
Re: Board upgrade 1800-1900hrs 07/02/2008
I have a spare dl380 in the barn if someone has some rack space....
W213 All Terrain
Re: Board upgrade 1800-1900hrs 07/02/2008
Thanks for the offer Sanjoy but there's no hardware shortage!
- steve_weegie
- Posts: 3241
- Joined: Tue Jun 28, 2005 12:40 am
- Location: Nessieland
Re: Board upgrade 1800-1900hrs 07/02/2008
We could have a redirection at http://www.scottishelises.com to https://www.scottishelises.com:8443, but I guess it may cause issues with people browsing at work on the non-standard port though.
SNI support is available in all the mainstream browsers now though, but lack of SNI support in XP clients running Internet Explorer could cause issues. Also Squid if it's being used as a reverse proxy. I belive haproxy will do SNI though.
Should be possible to run both though and let people choose http or https if their browser meets the criteria.
SNI support is available in all the mainstream browsers now though, but lack of SNI support in XP clients running Internet Explorer could cause issues. Also Squid if it's being used as a reverse proxy. I belive haproxy will do SNI though.
Should be possible to run both though and let people choose http or https if their browser meets the criteria.
Re: Board upgrade 1800-1900hrs 07/02/2008
Anyone still running IE on XP has bigger things to focus on than reaching SE...
http://www.rathmhor.com | Coaching, training, consultancy
Re: Board upgrade 1800-1900hrs 07/02/2008
I didn't mention SANs - I agree they are impractical for hosting multiple unrelated sites.graeme wrote: Even if SANs were free, they're not the answer for shared hosting, as alternative names are visible for all to see on the cert.
I think SNI support is sufficiently prevalent that, by the time modern browsers have issues with non-HTTPS sites, we will be able to ignore the old non-SNI supporting browser/OS combinations (I would already ignore them, if wikipedia is correct: http://en.wikipedia.org/wiki/Server_Nam ... No_support).
Until modern browsers barf on plain old HTTP I wouldn't do anything at all.
So, I think SNI is a good solution and certificates are tied to IPs and IPs are not tied to certificates.
Apologies if that came across as condescending.
Cheers,
Robin
I is in your loomz nibblin ur wirez
#bemoretut
#bemoretut
Re: Board upgrade 1800-1900hrs 07/02/2008
Googled on all of this, but needless to say I am still none the wiser.
On the other hand, I can quote Shakespeare and Keats.
tut
ps:- never thought that Robin would have to post as not sounding condescending.
tut
On the other hand, I can quote Shakespeare and Keats.
tut
ps:- never thought that Robin would have to post as not sounding condescending.
tut
Re: Board upgrade 1800-1900hrs 07/02/2008
Disappointed that nobody has chucked in the SHA-1 grenade yet.
W213 All Terrain
Re: Board upgrade 1800-1900hrs 07/02/2008
When I left Oman we were still using the Mills 36M grenade, did the job, always went off, and cleared a bunker with no problem.
Also perfect for throwing, fitted the hand like a glove and could be pitched 30m with accuracy.
tut
Also perfect for throwing, fitted the hand like a glove and could be pitched 30m with accuracy.
tut