https - hopefully not too stupid a question

Peter Fairbrother zenadsl6186 at
Sun Jun 17 16:33:43 BST 2012

Chris Edwards wrote:
> On Sun, 17 Jun 2012, Roland Perry wrote:
>> In article <4FDDE873.8020906 at>, Peter Fairbrother
>> <zenadsl6186 at> writes
>>> The URL is (or should be) encrypted if there is a "s" in the http(s) part.
>> So all the connectivity ISP knows is the IP address of the https server, which
>> is back to the situation under RIPA 21(6).
> Modern browsers send the hostname (ie. upto first single slash) 
> in the clear, in order to facilities named-based virtual hosting
> for https.  See:
> Often, this is not hugely different from simply knowing the IP address of 
> the server.  But in some cases, knowing the service name may make it 
> slightly easier to know what's being accessed.

Thanks, I had thought the hostname [1] got exposed sometimes at the 
beginning of a session, but didn't know the details.

Does SNI get used every time, or only on request, eg when a single IP 
address hosts many different domains?

 From a monitoring POV that probably doesn't matter any, as if the IP 
only hosts one domain then the monitors know the hostname anyway, 
whether SNI is used or not.

In practice, the client will normally do a DNS on the hostname before a 
https connection is established. So if all the client's traffic is being 
monitored then the monitors will usually have the hostname anyway.

[1] but not the full URL, which is encrypted.

-- Peter Fairbrother

More information about the ukcrypto mailing list