https - hopefully not too stupid a question
Chris Edwards
chris-ukcrypto at lists.skipnote.org
Sun Jun 17 17:58:33 BST 2012
On Sun, 17 Jun 2012, Francis Davey wrote:
> That is very interesting. Does that mean that s97A (anti-copyright
> infringement) ordered blocks could be required to block a particular
> hostname without having to look inside the http packet, but merely at
> the TLS client HELLO (or does that count as DPI - I'm never sure what
> counts as "deep")?
I'm not sure what counted as "deep" either, but this new bill seems to be
changing things, such that you intercept content using DPI kit to extract
certain info, which is then deemed mere "traffic data". Sniffing the
URL hostname from the a TLS connection would probably count as an example
of this.
Although most current browsers do SNI, not all do. Because of this, the
majority of web hosters still use a unique IP address for every https
website, just like they always did. So in most (current) cases, blocking
an https site by IP address would not result in overblocking.
That might change in future if web hosts start putting multiple websites
on a single IP (and using the SNI in anger). So any web-blocking system
would need to examine the SNI, and I'm not sure if such kit exists
(today).
More information about the ukcrypto
mailing list