https - hopefully not too stupid a question

Chris Edwards chris-ukcrypto at
Sun Jun 17 17:58:33 BST 2012

On Sun, 17 Jun 2012, Francis Davey wrote:

> That is very interesting. Does that mean that s97A (anti-copyright
> infringement) ordered blocks could be required to block a particular
> hostname without having to look inside the http packet, but merely at
> the TLS client HELLO (or does that count as DPI - I'm never sure what
> counts as "deep")?

I'm not sure what counted as "deep" either, but this new bill seems to be 
changing things, such that you intercept content using DPI kit to extract 
certain info, which is then deemed mere "traffic data".  Sniffing the 
URL hostname from the a TLS connection would probably count as an example 
of this.

Although most current browsers do SNI, not all do.  Because of this, the 
majority of web hosters still use a unique IP address for every https 
website, just like they always did.  So in most (current) cases, blocking 
an https site by IP address would not result in overblocking.

That might change in future if web hosts start putting multiple websites 
on a single IP (and using the SNI in anger).  So any web-blocking system 
would need to examine the SNI, and I'm not sure if such kit exists 

More information about the ukcrypto mailing list