Path: ...!weretis.net!feeder9.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.198.18.1.11!not-for-mail From: Grant Taylor Newsgroups: comp.misc Subject: Re: [LINK] Calling time on DNSSEC? Date: Wed, 4 Dec 2024 19:17:08 -0600 Organization: TNet Consulting Message-ID: References: <67464f37@news.ausics.net> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Thu, 5 Dec 2024 01:17:08 -0000 (UTC) Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="198.18.1.11"; logging-data="21716"; mail-complaints-to="newsmaster@tnetconsulting.net" User-Agent: Mozilla Thunderbird Content-Language: en-US In-Reply-To: Bytes: 2771 Lines: 47 On 12/3/24 23:49, Lawrence D'Oliveiro wrote: > It can’t be. Sure it can. > TLS cannot start encryption on HTTP until it gets a cert that > identifies the server. The TLS connection is fully established and fully encrypted *BEFORE* any HTTP is sent /through/ /the/ /inside/ /of/ /said/ /TLS/ connection. > That cert depends on the domain name. No, not quite. The domain name can be used to inform which cert the server should use, and that's EXACTLY what Server Name Indication (a.k.a. SNI) is. SNI is part of TLS. > Which comes from the “Host:” header line from the client. Nope. TLS can optionally send the domain name that it's going to connect to as part of the TLS session establishment using SNI. After the TLS session is established, then the web client sends the Host: header. > Which is why that cannot be sent encrypted. Do some reading on SNI, and then ESNI. The links that I shared previously have a decent write up. Also, consider protocols that don't send a Host: header (as HTTP does) still using SNI to indicate which domain name is being connected to. You can also take a look at TLS traffic inside of Wireshark and see that the destination name is sent very early in the connection as part of SNI. If you have your client (Firefox) save the ephemeral keys, you can decrypt the TLS session and see that the Host: header comes much later, /AFTER/ the TLS connection is fully established. -- Grant. . . .