https - hopefully not too stupid a question
zenadsl6186 at zen.co.uk
Sun Jun 17 18:59:15 BST 2012
Chris Edwards wrote:
> On Sun, 17 Jun 2012, Francis Davey wrote:
>> That is very interesting. Does that mean that s97A (anti-copyright
>> infringement) ordered blocks could be required to block a particular
>> hostname without having to look inside the http packet, but merely at
>> the TLS client HELLO (or does that count as DPI - I'm never sure what
>> counts as "deep")?
> I'm not sure what counted as "deep" either, but this new bill seems to be
> changing things, such that you intercept content using DPI kit to extract
> certain info, which is then deemed mere "traffic data". Sniffing the
> URL hostname from the a TLS connection would probably count as an example
> of this.
Probably OK under the present RIPA regime too.
> Although most current browsers do SNI, not all do. Because of this, the
> majority of web hosters still use a unique IP address for every https
> website, just like they always did. So in most (current) cases, blocking
> an https site by IP address would not result in overblocking.
> That might change in future if web hosts start putting multiple websites
> on a single IP (and using the SNI in anger). So any web-blocking system
> would need to examine the SNI, and I'm not sure if such kit exists
With the introduction of IPv6 any pressure to share IPs will most likely
go away, and I suspect SNI will never really get used in anger.
In fact it might be a good idea to deprecate it, starting sooner rather
than later. Hmm, is it easy to switch off in ordinary browsers?
Not that it's that much of a security risk, just that it's a
not-very-good idea whose only function is to overcome a now-vanishing
-- Peter Fairbrother
More information about the ukcrypto