I was happy to read the article Digital Certificates: Do They Work? which mentioned the excellent paper by Carl Ellison and Bruce Schneier titled Ten Risks of PKI: What You’re not Being Told about Public Key
Infrastructure. I have always found the certicate industry to be a racket because it strongly encourages websites to pay money to give their users what amounts to an illusion of security. The solution is to support efforts like CAcert.org which generates certificates for free.

Both of these RFC’s attempt to solve the problem that each SSL website must have its own ip. Or, in other words, they would allow name based virtual hosting for secure (ssl or tls) connections. This question sill comes up frequently as users are surprised that no one has solved this problem in the years since SSL became used for the web. The upside is that Apache now seems to support both standards, RFC 2817 in mod_ssl (2.1 and later) and RFC 3556 in mod_gnutls (0.2.0 and later). It looks like RFC 3546 is implemented in Firefox 2, Opera 8, Konqueror 4, and Internet Explorer 7. The only browser missing is Safari. So it looks like RFC 2817 is dead and RFC 3546 is the way to go. After reading up on mod_gnutls I’m excited to try it out.

• TLS for HTTP
• mod_ssl 2.2
• mod_gnutls
• SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls
• SNI penetration
• Phishing for SNI progress - tantalisingly close?