July 09, 2006

Phishing for SNI progress - tantalisingly close?

SNI is slowly coming to fruition. Quick reminder: SNI is the extension that supports multiple SSL servers on the same machine, and is one huge barrier to the routine employment of TLS as an aid against phishing and other threats.

Googling around I found that Apache 2.2.0 may be slated to support SNI. This is important -- until Apache or the Microsoft equivalent supports it as shipped, we will be blocked as browsers will be waiting, waiting, ...

Over on ThoughtTorrent, Nik says that most browsers are good already or are going to be ready to support. What's missing is Apple's Safari. Shocking! File a bug:

Title: Support for TLS Server Name Indication (RFC 3546)

Summary: This is a request for server name indication (SNI) support, per RFC 3546. It's basically TLS' equivalent of the Host header, allowing the correct SSL certificate to be served when multiple domains share the same IP address.

Steps to Reproduce: Connect to a server that supports SNI.

Expected Results: A perfectly normal hello is sent.

Actual Results: An extended hello, with a server_name extension.

Regression: This occurs consistently in my tests using Safari/WebKit as frontends.

Notes: There is a test server available at https://sni.corelands.com/

Other browsers support this:

  • Opera 8.0
  • Internet Explorer 7, beta 2
  • Firefox 2.0
  • Konqueror 4.0

Granted, the last three aren't released yet, but it does show that support is widespread.

But you need an Apple user account to do this. Bummer! Has anyone got one?

Someone else is also running test servers:

https://sni.velox.ch https://alice.sni.velox.ch https://carol.sni.velox.ch https://bob.sni.velox.ch https://dave.sni.velox.ch https://mallory.sni.velox.ch https://www.sni.velox.ch https://test.sni.velox.ch

What more needs to be done? Does Apache need some help in getting this done? Given the importance of spreading more websites to TLS usage (so we can use the certs to deal with phishing on a routine basis) this is one of those projects where it is worth it to go the distance, identify the blockages and see what we can do to remove them.

(I note that Frank has posted more information on the Mofo grants project. Here's a totally random thought .... Is there merit in sponsoring a TLS/SNI compatibility meet? A bit like George's of last year...)

Posted by iang at July 9, 2006 10:34 AM | TrackBack

The idea of sponsoring (or partially sponsoring) a TLS/SNI compatibility gathering is interesting. What I'd need in order to give it serious consideration would be someone to take responsibility for helping to organize it, and for the Mozilla NSS developers to sign up to participate in it. Then we could look at how the Mozilla Foundation might help, e.g., by helping to pay travel costs for selected volunteer open source contributors who deal with SSL/TLS issues.

Posted by: Frank Hecker at July 9, 2006 11:51 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.