Hacker News new | past | comments | ask | show | jobs | submit login

> SNI reveals the full text of the final lookup query that the requester used to obtain an IP address to open a TCP connection to the server.

Are you talking about something other than DNS lookups done at the client side?




Yes, that is how I tested it, but there's nothing magic about DNS either. Remember that this depends on the site owner and the users cooperating to put misleading data into the SNI, while still functioning properly. It isn't often useful, but it is sometimes convenient.

Basically, whatever the client does that results in a successful map of name to address (including the textual representation of the address, to the address) will cause the name to be sent in SNI, and will be used to select a matching cert on the server side.

If you do use DNS, your lookup might have a suffix appended automatically, depending on local nameserver config.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: