https - hopefully not too stupid a question

Ben Laurie ben at
Sun Jun 17 19:18:39 BST 2012

On Sun, Jun 17, 2012 at 5:58 PM, Chris Edwards
<chris-ukcrypto at> wrote:
> On Sun, 17 Jun 2012, Francis Davey wrote:
>> That is very interesting. Does that mean that s97A (anti-copyright
>> infringement) ordered blocks could be required to block a particular
>> hostname without having to look inside the http packet, but merely at
>> the TLS client HELLO (or does that count as DPI - I'm never sure what
>> counts as "deep")?
> I'm not sure what counted as "deep" either, but this new bill seems to be
> changing things, such that you intercept content using DPI kit to extract
> certain info, which is then deemed mere "traffic data".  Sniffing the
> URL hostname from the a TLS connection would probably count as an example
> of this.
> Although most current browsers do SNI, not all do.  Because of this, the
> majority of web hosters still use a unique IP address for every https
> website, just like they always did.  So in most (current) cases, blocking
> an https site by IP address would not result in overblocking.
> That might change in future if web hosts start putting multiple websites
> on a single IP (and using the SNI in anger).  So any web-blocking system
> would need to examine the SNI, and I'm not sure if such kit exists
> (today).

Marsh Ray has a proposal to encrypt extensions. Unfortunately the
version that encrypts SNI takes an extra round trip.


More information about the ukcrypto mailing list