undefined | Better HN

0 pointssk5t11y ago0 comments

Not true; consider SNI as an example of the server choosing a certificate as part of the handshake, without a cleartext exchange of the hostname.

http://en.wikipedia.org/wiki/Server_Name_Indication

0 comments

2 comments · 2 top-level

Perseids11y ago

Actually the SNI extension is sent in the clear. That's one of the things TLS 1.3 is supposed to fix. (See e.g. http://www.ietf.org/mail-archive/web/tls/current/msg10484.ht... for a discussion about how to handle SNI there). You have a point, though, in that the TLS extensions sent by the client might give you some indication with what client you are talking with. I would not hope for it though, and even if, such heuristics are hell of an ugly hack inside the TLS stack.

bartc11y ago

Actually, in the case of SNI, the hostname IS sent in plain text. It's sent with the initial ClientHello message so that the server can use it to select the proper server certificate for the session.

j / k navigate · click thread line to collapse