SNI:
I want to host multiple websites with single static public ip address. This makes sense as ip address to too expensive.
IP address: 1.2.3.4
Websites:
a.com
b.com
c.com and so on.
In case of https, when you want to reach a.com
First DNS will resolve host to ip
TCP 3WHS
CH from client
The Server responds with cert and proves its identity when it is hosting single website: a.com
But problem arises when a server is hosting multiple websites, in this case server don't know which cert to serve as nothing in TLS CH specifies the hostname. It will have just IP address: 1.2.3.4
SNI will resolve this issue.
During TLS CH, we add extra string SNI along with the ip address
CH: 1.2.3.4/a.com
Now server knows, it has to respond with a.com cert
Next step is GET request which is encrypted.
GET/a.com
Now server can server the content of the a.com website
There is also a default certificate which contains multiple web cert but is very expensive.
What happens if we do https://1.2.3.4?
## This will fails as SNI name is 1.2.3.4 and server will not have certificate or website with name 1.2.3.4
On GET request also, host name will be 1.2.3.4 and the server will not understand it and won't be served.
Problem:
In TLS we sent a.com in plain text so anyone can sniff and they can track your activity. Also DNS uses UDP, which is un-encrypted.
To overcome this, we have ESNI(Encrypted SNI) which will use DoH (DNS over https)
No comments:
Post a Comment