https - hopefully not too stupid a question
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sun Jun 17 17:35:55 BST 2012
Peter Fairbrother wrote:
> Chris Edwards wrote:
>> On Sun, 17 Jun 2012, Roland Perry wrote:
>>
>>> In article <4FDDE873.8020906 at zen.co.uk>, Peter Fairbrother
>>> <zenadsl6186 at zen.co.uk> writes
>>>> The URL is (or should be) encrypted if there is a "s" in the http(s)
>>>> part.
>>> So all the connectivity ISP knows is the IP address of the https
>>> server, which
>>> is back to the situation under RIPA 21(6).
>>
>> Modern browsers send the hostname (ie. upto first single slash) in the
>> clear, in order to facilities named-based virtual hosting
>> for https. See:
>>
>> http://en.wikipedia.org/wiki/Server_Name_Indication
>>
>> Often, this is not hugely different from simply knowing the IP address
>> of the server. But in some cases, knowing the service name may make
>> it slightly easier to know what's being accessed.
>>
>
> Thanks, I had thought the hostname [1] got exposed sometimes at the
> beginning of a session, but didn't know the details.
>
> Does SNI get used every time, or only on request, eg when a single IP
> address hosts many different domains?
>
> From a monitoring POV that probably doesn't matter any, as if the IP
> only hosts one domain then the monitors know the hostname anyway,
> whether SNI is used or not.
>
>
> In practice, the client will normally do a DNS on the hostname before a
> https connection is established. So if all the client's traffic is being
> monitored then the monitors will usually have the hostname anyway.
Another case, which might result in all the URL being exposed, is where
a connection starts in http then defaults to https - the user types in a
full http URL, and the server changes it to https.
It happens.
-- Peter Fairbrother
>
>
> [1] but not the full URL, which is encrypted.
>
> -- Peter Fairbrother
>
>
>
More information about the ukcrypto
mailing list