[Discuss] My Bank's Web Site is Behaving Oddly

[dsr at randomstring.org (Dan Ritter)]

On Sat, May 07, 2016 at 12:46:32PM -0400, Kent Borg wrote:
> On 05/07/2016 08:25 AM, Matthew Gillen wrote:
> >On 5/4/2016 5:37 PM, Kent Borg wrote:
> >>-kb, the Kent who admits he doesn't know how https works through Akamai
> >>and the like.
> >It doesn't. Akamai is a TLS termination point.  They have the private
> >keys of any domain they are proxying for, so they can act as the TLS
> >endpoint.
> 
> But TLS can work through a more prosaic proxy, which could do load balancing
> and failover stuff. I guess a boring proxy can't serve up cached content
> from nearby locations, it has to pass it on encrypted to a machine with the
> the right certificate. But it could pass it on wisely and cleverly, couldn't
> it? I guess it couldn't do DDoS defense and give each client dedicated IP
> addresses, at least not IPv4 addresses.  (In a few weeks Apple Store is
> going to require ios apps work on IPv6-only networks.)

x509 certs don't care about IPs; the browser matches the cert's
CN (Common Name) against the domain name it was requesting.


-dsr-