https - hopefully not too stupid a question
Ben Laurie
ben at links.org
Sun Jun 17 19:18:39 BST 2012
On Sun, Jun 17, 2012 at 5:58 PM, Chris Edwards
<chris-ukcrypto at lists.skipnote.org> wrote:
> On Sun, 17 Jun 2012, Francis Davey wrote:
>
>> That is very interesting. Does that mean that s97A (anti-copyright
>> infringement) ordered blocks could be required to block a particular
>> hostname without having to look inside the http packet, but merely at
>> the TLS client HELLO (or does that count as DPI - I'm never sure what
>> counts as "deep")?
>
> I'm not sure what counted as "deep" either, but this new bill seems to be
> changing things, such that you intercept content using DPI kit to extract
> certain info, which is then deemed mere "traffic data". Sniffing the
> URL hostname from the a TLS connection would probably count as an example
> of this.
>
> Although most current browsers do SNI, not all do. Because of this, the
> majority of web hosters still use a unique IP address for every https
> website, just like they always did. So in most (current) cases, blocking
> an https site by IP address would not result in overblocking.
>
> That might change in future if web hosts start putting multiple websites
> on a single IP (and using the SNI in anger). So any web-blocking system
> would need to examine the SNI, and I'm not sure if such kit exists
> (today).
Marsh Ray has a proposal to encrypt extensions. Unfortunately the
version that encrypts SNI takes an extra round trip.
http://tools.ietf.org/html/draft-ray-tls-encrypted-handshake-00
>
>
More information about the ukcrypto
mailing list