Community discussions

 
eduardomazolini
newbie
Topic Author
Posts: 31
Joined: Thu Jul 16, 2015 9:14 pm

Feature request: Hotspot use SNI for HTTPS walled Garden

Mon Feb 27, 2017 9:16 pm

Today, Hotspot Walled Garden use DNS cache to pass all request to IP resolved from DNS, when HTTPS request is made.
Google and Facebook use same servers for many services. Put Facebook/Google API com Walled garden is same to put all services.

And is important option to disable actual DNS use for Walled Garden when SNI is enable.

Using SNI connection per connections need be validated, increasing CPU process.
 
User avatar
gamerxp
just joined
Posts: 9
Joined: Fri Dec 09, 2016 2:54 am
Location: Thailand
Contact:

Re: Feature request: Hotspot use SNI for HTTPS walled Garden

Mon May 08, 2017 9:29 am

As HTTPS is encrypted. Router cannot read through the encryption without breaking it (Router proxy the https connection). If yes, You will get certificate error one client-side.

Correct me if I wrong.
[MTCNA] 1608NA602
 
User avatar
ziegenberg
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Thu Mar 07, 2013 11:14 am
Location: Vienna
Contact:

Re: Feature request: Hotspot use SNI for HTTPS walled Garden

Mon May 08, 2017 1:00 pm

As HTTPS is encrypted. Router cannot read through the encryption without breaking it (Router proxy the https connection). If yes, You will get certificate error one client-side.

Correct me if I wrong.
SNI is a non-encrypted meta information. Read more here: https://en.wikipedia.org/wiki/Server_Name_Indication That's why SNI for HTTPS walled garden is neccessary to NOT break the SSL connection.

daniel
 
User avatar
gamerxp
just joined
Posts: 9
Joined: Fri Dec 09, 2016 2:54 am
Location: Thailand
Contact:

Re: Feature request: Hotspot use SNI for HTTPS walled Garden

Tue May 09, 2017 2:04 am

As HTTPS is encrypted. Router cannot read through the encryption without breaking it (Router proxy the https connection). If yes, You will get certificate error one client-side.

Correct me if I wrong.
SNI is a non-encrypted meta information. Read more here: https://en.wikipedia.org/wiki/Server_Name_Indication That's why SNI for HTTPS walled garden is neccessary to NOT break the SSL connection.

daniel
Thanks for clarifying that :D
[MTCNA] 1608NA602
 
User avatar
doneware
Trainer
Trainer
Posts: 539
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Feature request: Hotspot use SNI for HTTPS walled Garden

Tue May 09, 2017 1:49 pm

SNI is a non-encrypted meta information. Read more here: https://en.wikipedia.org/wiki/Server_Name_Indication That's why SNI for HTTPS walled garden is neccessary to NOT break the SSL connection.
IMHO trickling with DNS is more universal and does not require actual traffic to be inspected - just redirect DNS req to a policy based (even centralised) DNS server.
there is an option available in dnsmasq and dnrd to include client mac-address (or a hashed version of that to provide some confidentiality) in the EDNS0 field, so you can have at the end per device granularity.

of course it lacks of in-depth URL visibility but at least this is a quick and easy way to take control over client requests. not to mention that it has better visibility than SNI as one cert may cover multiple FQDNs, where one A or AAAA record is likely to identify one. also it works with IPv6 as well and with non-HTTP protocols like quic.
#TR0359

Who is online

Users browsing this forum: No registered users and 115 guests