https - hopefully not too stupid a question

Francis Davey fjmd1a at
Sun Jun 17 17:37:00 BST 2012

2012/6/17 Chris Edwards <chris-ukcrypto at>:
> SNI involves sending the URL hostname in the clear as part of the TLS
> client HELLO, which is the very first packet of every connection, after
> the 3-way TCP handshake.  At this stage, the client does not know whether
> server understands, or wishes to see the SNI.  So therefore it's always
> sent, regardless.  If the server isn't interested, it will simply ignore
> it.
> Older browsers don't do this.  But most things post Win XP do.

That is very interesting. Does that mean that s97A (anti-copyright
infringement) ordered blocks could be required to block a particular
hostname without having to look inside the http packet, but merely at
the TLS client HELLO (or does that count as DPI - I'm never sure what
counts as "deep")? In other words you could block newzbin2 from https:
access even if it shared its IP address with many others.

Or have I misunderstood?


Francis Davey

More information about the ukcrypto mailing list