Comments on: Google Apps for your Domain, DNS, CNAME and Security

By: Trejkaz

Trejkaz — Thu, 23 Aug 2007 01:13:04 +0000

Actually it is possible during SSL negotiation to specify the recipient hostname, thus allowing for virtual hosting. It’s just that not many people have configured their servers to do so. You would expect Google of all people to have the resources to pay someone to get it working, though.

By: Eran

Eran — Tue, 07 Aug 2007 09:16:05 +0000

Gray, while it seems you have some claims/responses to Bret McDanel I’m sure this post on my blog is not the right platform for such exchange.

Please refrain from using this post (and this blog) for exchanging “secret” encoded messages to Bret.

By: Gary McLaughlin

Gary McLaughlin — Mon, 06 Aug 2007 23:10:16 +0000

Oh but Gary but we have spoken before and for such a high profile contributor on all sorts of things it is a wonder you behave in your personal life the way you do behave! (More to follow?)

By: Bret McDanel

Bret McDanel — Fri, 13 Jul 2007 05:04:49 +0000

I dont know what gary is on about, I have never spoken to him before, although he did post something to my page that had nothing to do with anything so it didnt make it past moderation.

My point about specifying https instead of http when connecting to gmail allows you the user to select which you prefer. Low cpu powered devices (such as mobile phone browsers) and those who are required to use proxies (again largely mobile phone devices) may not be able to use https beyond a form post. I have had issues with a few mobile companies that way. SSL requires considerably more cpu, especially if keys arent cached (SSL 2.0 started that) and portable devices may not be able to perform as a user expects.

I think google may do a service to their customers to advertise that you can use https instead of http, although that would require a higher cpu load on their end, and perhaps that is why they dont tell people. I really dont know what decisions they made to advertise the http url only.

If you start with a https session it will remain https even after authentication. If you start out doing http then it will revert to http after auth. In this way the user has the freedom to choose, even if they dont know there is a choice.

By: Eran

Eran — Thu, 05 Jul 2007 08:55:13 +0000

Gary, what do you mean?

By: Gary McLaughlin

Gary McLaughlin — Wed, 04 Jul 2007 23:10:34 +0000

Bret McDanel may know his HTTP from his HTTPS – but this guy is a fraudster!

By: Eran

Eran — Mon, 25 Jun 2007 06:37:26 +0000

Bret,

Thanks for the information. Actually, my main concern here was that Google Apps for your Domain and Gmail DO support HTTPS, but, for some reason, after authentication the user is redirected to a non secure version (HTTP) even though this contains Email which may contain a bit more sensitive information.

So, the quick and correct fix from Google’s side is to always redirect to HTTPS, even at the cost of redirecting my webmail.mydomain.com to http://google.com/a/mydomain/mail (or whatever) and then redirecting it to HTTPS://…

By: Bret McDanel

Bret McDanel — Mon, 25 Jun 2007 03:36:15 +0000

HTTP supports a virtual hosted environment through one of the headers a browser sends the server, namely the server name or ‘Host’ header. In this way 1 IP can handle many different sites. HTTPS however encrypts the traffic, and you cannot know which site the user wants until after you have negotiated encryption, which requires of course the certificate for the hostname in question. This catch-22 means that you cant alias or CNAME one host name to another.

If you really wanted to do this, you could create a static page that does a refresh via the META html tag see http://en.wikipedia.org/wiki/Meta_refresh for an example. If you have CGI or scripting ability you could send a 302 to the https url and then its not an issue :)