https - hopefully not too stupid a question
fjmd1a at gmail.com
Sun Jun 17 17:37:00 BST 2012
2012/6/17 Chris Edwards <chris-ukcrypto at lists.skipnote.org>:
> SNI involves sending the URL hostname in the clear as part of the TLS
> client HELLO, which is the very first packet of every connection, after
> the 3-way TCP handshake. At this stage, the client does not know whether
> server understands, or wishes to see the SNI. So therefore it's always
> sent, regardless. If the server isn't interested, it will simply ignore
> Older browsers don't do this. But most things post Win XP do.
That is very interesting. Does that mean that s97A (anti-copyright
infringement) ordered blocks could be required to block a particular
hostname without having to look inside the http packet, but merely at
the TLS client HELLO (or does that count as DPI - I'm never sure what
counts as "deep")? In other words you could block newzbin2 from https:
access even if it shared its IP address with many others.
Or have I misunderstood?
More information about the ukcrypto