HTTPS SNI

SNI means Server Name Indication, which is a technology to let the server know which domain the client is linking to and return the certification correspondingly, which makes a single IP possible to serve multiple HTTPS sites. It is defined in RFC 6066 section 3.

The protocol extension changes the handshake process in the TLS. The client should include a struct array of the DNS name of the server the client wants to link to. And if the server has the certification, the handshake goes on normally. If not, the server should send a fatal level error and drop the connection, or just go on as if nothing happened(and give out the default certification).

The protocol also influenced the session cache of the TLS server. The TLS server which supports the extension will never give out any session to the client if the server_name mismatches. Even if the client has all the outer things qualified.

Some people think that SNI will add security risks as the client will transport the server name in cleartext. However, if a site is a TLS site(without SNI), anyone can know who the client is talking to by linking to the server. Essentially means the IP in traditional TLS servers gives out the information of the domain. Telling the domain will not add security risk to the protocol.

In fact, as the protocol provides another way to check session cache, it actually reduces the risk(though seems impossible&useless already in traditional TLS server) if the server uses the wrong TLS session which is opened by an attacker to send message to the user.

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *