握手期间服务器共享的证书中的网站名称是否会通过 https 杀死 DNS?
[英]Will website name in certificate shared by server during handshake kill the DNS over https purpose?
问题描述
While querying DNS over https lets assume the user gets ip over secure connection.
在通过 https 查询 DNS 时,假设用户通过安全连接获取 ip。 In the handshaking process the website shares its certificate in plaintext which includes website name and other info.在握手过程中,网站以明文形式共享其证书,其中包括网站名称和其他信息。 Will it kill the DNS over https purpose other than active sniffing?除了主动嗅探之外,它会通过 https 杀死 DNS 吗?
1 个解决方案
解决方案1
1 已采纳 2018-04-04 14:12:13
There are actually two clear-text exposures in the TLS protocols used by HTTPS. HTTPS 使用的 TLS 协议中实际上有两种明文公开。
- Server certificate – sent by server in ServerHello服务器证书 - 由服务器在 ServerHello 中发送
- Server Name Information (SNI) – sent by client in ClientHello服务器名称信息 (SNI) – 由客户端在 ClientHello 中发送
The latest version of TLS: 1.3, which is starting to be adopted by browsers and web server software, provides encryption for the ServerHello, and within a year or so, should be widely adopted, making the exposure of domain names in certificates much less likely.最新版本的 TLS: 1.3 开始被浏览器和 Web 服务器软件采用,为 ServerHello 提供加密,并在一年左右的时间内被广泛采用,使证书中的域名暴露的可能性大大降低.
SNI is more difficult to send in a secure encrypted form that is resistant to active attackers (protection against passive monitoring is more practical, but does not protect targeted clients). SNI 更难以安全的加密形式发送,以抵抗主动攻击者(防止被动监视更实用,但不能保护目标客户端)。 SNI is used by web hosting servers to determine which service's certificate should be used when there are multiple services sharing the same IP address.当多个服务共享同一个 IP 地址时,Web 托管服务器使用 SNI 来确定应使用哪个服务的证书。
While clear-text SNI information does weaken the privacy goals of DNS-over-HTTPS and the alternative DNS-over-TLS, there is a strong case to be made that encrypting and authenticating DNS requests and responses虽然明文 SNI 信息确实削弱了 DNS-over-HTTPS 和替代 DNS-over-TLS 的隐私目标,但有一个强有力的理由来加密和验证 DNS 请求和响应
- Protects against interception and modification, whether for censorship or malicious domain poisoning防止拦截和修改,无论是审查还是恶意域中毒
- Blocks both passive and active monitoring of one part of your internet communications阻止对互联网通信的一部分进行被动和主动监控
Not all internet traffic is web, if you run a mail transfer agent, it needs to look up the domains of your e-mail recipients and even when it uses SMTP TLS SNI is not usually involved.并非所有互联网流量都是网络流量,如果您运行邮件传输代理,它需要查找电子邮件收件人的域,即使它使用 SMTP TLS SNI 通常也不涉及。
For web browsing, there are mechanisms that can be used by the operators of sensitive domains, such as Domain Fronting that can be used to make the exposure of SNI less revealing, by sending one domain in the SNI request, and another in the HTTP Host: header.对于网页浏览,敏感域的运营商可以使用一些机制,例如通过在 SNI 请求中发送一个域,并在 HTTP 主机中发送另一个域,可以使用域前端来降低 SNI 的暴露程度: 头。 There is even an Internet Draft proposal to supply the desired "fronting" SNI via DNS .甚至有一个 Internet Draft 提案通过 DNS 提供所需的“前端”SNI 。
There are also several different Internet Draft proposals for protecting SNI: one uses both DNS records and TLS extensions and another uses tunneling to protect the SNI information .还有几种不同的互联网草案提案用于保护 SNI:一种使用 DNS 记录和 TLS 扩展,另一种使用隧道来保护 SNI 信息。 The author of the latter proposal has a more generally accessible blog post illustrating the difficulties of protecting SNI against all possible attacks.后一个提案的作者有一篇更容易访问的博客文章,说明了保护 SNI 免受所有可能的攻击的困难。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.