https - hopefully not too stupid a question
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sun Jun 17 16:33:43 BST 2012
Chris Edwards wrote:
> On Sun, 17 Jun 2012, Roland Perry wrote:
>
>> In article <4FDDE873.8020906 at zen.co.uk>, Peter Fairbrother
>> <zenadsl6186 at zen.co.uk> writes
>>> The URL is (or should be) encrypted if there is a "s" in the http(s) part.
>> So all the connectivity ISP knows is the IP address of the https server, which
>> is back to the situation under RIPA 21(6).
>
> Modern browsers send the hostname (ie. upto first single slash)
> in the clear, in order to facilities named-based virtual hosting
> for https. See:
>
> http://en.wikipedia.org/wiki/Server_Name_Indication
>
> Often, this is not hugely different from simply knowing the IP address of
> the server. But in some cases, knowing the service name may make it
> slightly easier to know what's being accessed.
>
Thanks, I had thought the hostname [1] got exposed sometimes at the
beginning of a session, but didn't know the details.
Does SNI get used every time, or only on request, eg when a single IP
address hosts many different domains?
From a monitoring POV that probably doesn't matter any, as if the IP
only hosts one domain then the monitors know the hostname anyway,
whether SNI is used or not.
In practice, the client will normally do a DNS on the hostname before a
https connection is established. So if all the client's traffic is being
monitored then the monitors will usually have the hostname anyway.
[1] but not the full URL, which is encrypted.
-- Peter Fairbrother
More information about the ukcrypto
mailing list