https - hopefully not too stupid a question

[Peter Fairbrother]

Chris Edwards wrote:
> On Sun, 17 Jun 2012, Francis Davey wrote:
> 
>> That is very interesting. Does that mean that s97A (anti-copyright
>> infringement) ordered blocks could be required to block a particular
>> hostname without having to look inside the http packet, but merely at
>> the TLS client HELLO (or does that count as DPI - I'm never sure what
>> counts as "deep")?
> 
> I'm not sure what counted as "deep" either, but this new bill seems to be 
> changing things, such that you intercept content using DPI kit to extract 
> certain info, which is then deemed mere "traffic data".  Sniffing the 
> URL hostname from the a TLS connection would probably count as an example 
> of this.

Probably OK under the present RIPA regime too.
> 
> Although most current browsers do SNI, not all do.  Because of this, the 
> majority of web hosters still use a unique IP address for every https 
> website, just like they always did.  So in most (current) cases, blocking 
> an https site by IP address would not result in overblocking.
> 
> That might change in future if web hosts start putting multiple websites 
> on a single IP (and using the SNI in anger).  So any web-blocking system 
> would need to examine the SNI, and I'm not sure if such kit exists 
> (today).


With the introduction of IPv6 any pressure to share IPs will most likely 
go away, and I suspect SNI will never really get used in anger.

In fact it might be a good idea to deprecate it, starting sooner rather 
than later. Hmm, is it easy to switch off in ordinary browsers?

Not that it's that much of a security risk, just that it's a 
not-very-good idea whose only function is to overcome a now-vanishing 
problem.





-- Peter Fairbrother
> 
> 
>