SNI means Server Name Indication, which is a technology to let server know which domain the client is linking to and return the certification correspondingly, which make a single IP possible to server multiply HTTPS sites. It is defined in RFC 6066 section 3.

The protocol extension change the handshake process in the TLS. The client should include a struct array which defined in each way (currently only DNS hostname are widely supported) of defining name, which name of server the client want to link to. And if the server have the certification, the handshake goes on normally. If not, the server should send a fatal level error and drop the connection, or just go on as if nothing happened(and give out the default certification).

The protocol also influenced the session cache of TLS server. The TLS server which support the extension will never give out any session to client if the server_name mismatches. Even if the client have all the outer things qualified.

Some people think that SNI will add security risks as the client will transport the server name in clear text. However, if a site is a TLS site(wo SNI), anyone can know whom the client is talk to by linking to the server. So that the IP in traditional TLS servers give out the information of the domain. Say the domain will not add security risk to the protocol.

In fact, as the protocol provide another way to check session cache, it actually reduce the risk(though seems impossible&useless already in traditional TLS server) the server use the wrong TLS session which is opened by an attacker to send message to the user.

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *