Recently, a colleague forwarded me a request from a journalist at the Korea Times asking about how using server name identification (SNI) to block website requests could constitute a privacy violation. As it turns out, South Korea is censoring some HTTPS requests using SNI.
I thought I’d share my thoughts on the topic more broadly. Disclaimer: What I’ve written is very intentionally a simplified account of things.
The short and simple version is that using SNI to block access to certain websites implies that the government (likely via their ISPs) is eavesdropping on which websites end-users are requesting to see on every encrypted request in order to determine whether or not that individual request should be blocked/censored.
SNI essentially allows a single IP address to serve multiple domain names over HTTPS. But doing so requires the client to state, unencrypted, the domain name it is requesting. Blocking these requests means the South Korean government might be eavesdropping on every (encrypted) request to every domain name that each client is sending out over the Internet.
How? HTTPS, as you might know, allows a client (e.g., your web browser) to connect to a server (e.g., https://google.com) via a secure connection where all data transmitted back and worth should be encrypted. To serve a website over HTTPS, one needs to acquire a certificate that binds a cryptographic key to a specific domain name — this allows a client to be certain that it is communicating with the expected server. That cryptographic key can then be used by clients to send encrypted data back and forth with that domain. Domain names are just human readable “addresses” that are associated with “IP addresses” through a DNS server. When you type in “google.com”, your browser serves you Google’s website by finding the IP address associated with google.com.
Now, because certificates are attached to specific domain names, and domain names are attached to specific IP addresses, there’s a problem. There are only a limited number of IP (IPv4) addresses. So, it’s expensive to serve only one domain name on an IP address. It’s much more efficient if we can serve multiple domain names per IP address. I, for example, have a personal web server with one IP address, but I serve many different encrypted websites on it: my personal website (that has two domain names— https://sauvik.me, and https://sauvikdas.com) — as well as my personal blog, course websites, and several other personal projects. But how can I do so if each domain name requires its own certificate? The answer to that is SNI. SNI allows a single IP address to serve multiple encrypted domains, but to do so a client must first request, unencrypted, the name of the domain it is trying to request. This unencrypted domain name is then compared against a list of domains and certificates served by the server, and only once that is determined can the encrypted connection between client and server begin.
By using SNI to block requests, the South Korean government is most likely eavesdropping on this initial unencrypted domain request and then blocking the request. This could constitute a privacy violation because, as you might imagine, privacy advocates do not like the idea of having every domain name they request being eavesdropped — particularly when they are requesting an encrypted connection.
Thanks for reading! If you think you or your company could benefit from my expertise, I’d be remiss if I didn’t alert you to the fact that I am an independent consultant and accepting new clients. My expertise spans UX, human-centered cybersecurity and privacy, and data science.
If you read this and thought: “whoah, definitely want to be spammed by that guy”, there are three ways to do it:
- Subscribe to my mailing list (spam frequency: a couple of times a month.)
- Follow me on Twitter (spam frequency: weekly)
- Subscribe to my YouTube channel (spam frequency: ¯\_(ツ)_/¯)
You also can do none of these things, and we will all be fine.