Monday, April 16, 2018

How to validate a client is sending the SNI in TLS

Almost all  modern browsers uses TLS extensions and the most common one is known as Server Name Indication

https://en.wikipedia.org/wiki/Server_Name_Indication


You can use the SNI field before any  TLS decryption to determine what website the client is selecting. In this example, I'm using example.com



Various  inspections methods are available to filter on  just the  SNI  information and does not  need full TLS/SSL decryption in order to block HTTPS traffic for various sites. in fact you can  select various website to   decrypted based on HTTPS SNI  information.



So if a webclient turns off SNI, you will either need to do the following

1: place a strict deny when no SNI is present  at the client.hello

or 

2:  perform MiTM decryption to witness the http.host header and take action when matched


To   check if your browser does NOT  use SNI, launch a session to https://www.mnot.net and if you get the   "upgrade to a modern" browser than that means you webclient does not support SNI.


e.g ( using curl with -k and without  )



here's a wireshark snippet of SNI and none-SNI



Ken






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \
 

No comments:

Post a Comment