[cryptography] [Cryptography] TLS2

Ralph Holz holz at net.in.tum.de
Mon Sep 30 08:22:11 EDT 2013


>> I am not so sure many servers support it, though. My latest data,
>> unfortunately, is not evaluated yet. But in 2011 the difference between
>> switching on SNI and connecting without it, was pretty meagre across the
>> Alexa range. Granted, many of those hosts may not be VHosts.
>> Does Google have better data on that?
> I think you're testing that wrong. The major websites run one website
> at multiple IPs - not multiple websites at a single IP.  So connecting
> with/without SNI will usually get you the same result.

To clarify: we did not hunt SNI-enabled sites. We were after cases where
a server on the Alexa lists shows the default certificate for another
site, but will show the correct one if SNI is enabled. We thus  did two
scans back then, one with and one without SNI enabled, and determined
whether we saw different certificates for some domains. In the setup you
describe, we'd fully expect the same certs -- and I agree it seems to be
the much more prevailing setup.

> You want to test the Alexis 2,000,000 - 3,000,000 sites and see if you
> get a different result - hit shared hosting sites, where multiple
> sites run on a single IP.

Ideally, I'd combine an IP scan with DNS information from zone files
(which we have, but I don't have the time to do it).

> [0] https://en.wikipedia.org/wiki/Server_Name_Indication

Yes, but our scans back then did not determine deployed server versions.


Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
Phone +
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the cryptography mailing list