https://en.wikipedia.org/wiki/Server_Name_Indication
You can use the SNI field before any TLS decryption to determine what website the client is selecting. In this example, I'm using example.com
Various inspections methods are available to filter on just the SNI information and does not need full TLS/SSL decryption in order to block HTTPS traffic for various sites. in fact you can select various website to decrypted based on HTTPS SNI information.
So if a webclient turns off SNI, you will either need to do the following
1: place a strict deny when no SNI is present at the client.hello
or
2: perform MiTM decryption to witness the http.host header and take action when matched
To check if your browser does NOT use SNI, launch a session to https://www.mnot.net and if you get the "upgrade to a modern" browser than that means you webclient does not support SNI.
e.g ( using curl with -k and without )
here's a wireshark snippet of SNI and none-SNI
Ken
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment