Deutsch   English   Français   Italiano  
<viquuk$l6k$1@tncsrv09.home.tnetconsulting.net>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: ...!weretis.net!feeder9.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.198.18.1.11!not-for-mail
From: Grant Taylor <gtaylor@tnetconsulting.net>
Newsgroups: comp.misc
Subject: Re: [LINK] Calling time on DNSSEC?
Date: Wed, 4 Dec 2024 19:17:08 -0600
Organization: TNet Consulting
Message-ID: <viquuk$l6k$1@tncsrv09.home.tnetconsulting.net>
References: <67464f37@news.ausics.net>
 <vi68n4$k3r$1@tncsrv09.home.tnetconsulting.net>
 <wwva5dlul1r.fsf@LkoBDZeT.terraraq.uk>
 <vi8tkg$8ha$1@tncsrv09.home.tnetconsulting.net>
 <wwva5dj91v4.fsf@LkoBDZeT.terraraq.uk> <vim7jd$3t1l3$1@dont-email.me>
 <viobpa$s79$2@tncsrv09.home.tnetconsulting.net> <viod8c$fp5p$1@dont-email.me>
 <vion3k$fau$1@tncsrv09.home.tnetconsulting.net> <vioqhn$mcr7$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Thu, 5 Dec 2024 01:17:08 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="198.18.1.11";
	logging-data="21716"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Content-Language: en-US
In-Reply-To: <vioqhn$mcr7$1@dont-email.me>
Bytes: 2771
Lines: 47

On 12/3/24 23:49, Lawrence D'Oliveiro wrote:
> It can’t be.

Sure it can.

> TLS cannot start encryption on HTTP until it gets a cert that 
> identifies the server.

The TLS connection is fully established and fully encrypted *BEFORE* any 
HTTP is sent /through/ /the/ /inside/ /of/ /said/ /TLS/ connection.

> That cert depends on the domain name.

No, not quite.

The domain name can be used to inform which cert the server should use, 
and that's EXACTLY what Server Name Indication (a.k.a. SNI) is.  SNI is 
part of TLS.

> Which comes from the “Host:” header line from the client. 

Nope.

TLS can optionally send the domain name that it's going to connect to as 
part of the TLS session establishment using SNI.

After the TLS session is established, then the web client sends the 
Host: header.

> Which is why that cannot be sent encrypted.

Do some reading on SNI, and then ESNI.  The links that I shared 
previously have a decent write up.

Also, consider protocols that don't send a Host: header (as HTTP does) 
still using SNI to indicate which domain name is being connected to.

You can also take a look at TLS traffic inside of Wireshark and see that 
the destination name is sent very early in the connection as part of SNI.

If you have your client (Firefox) save the ephemeral keys, you can 
decrypt the TLS session and see that the Host: header comes much later, 
/AFTER/ the TLS connection is fully established.



-- 
Grant. . . .