TIL: You can identify the hostname in an HTTPS request


Today I was talking to someone that said they were blocking HTTPS traffic in a transparent proxy setup. That is, they were blocking specific domains.

I know this can be done by using a certificate in the intercepting device which is trusted by the client (i.e. decrypting the traffic) or by blocking a specific IP range.

However this got me curious if it was possible to get the hostname from an encrypted connection.

A quick google search led me to this.

Turns out the client sends the hostname as part of the ClientHello message during the TLS handshake!

I tried this out by connecting to this site, and there it was.

$ tshark -i en0 -x -O TLSv1.2
...
c0 09 c0 13 00 33 00 9c 00 35 00 2f 00 0a 01 00   .....3...5./....
01 95 ff 01 00 01 00 00 00 00 11 00 0f 00 00 0c   ................
6b 69 72 62 75 63 68 69 2e 63 6f 6d 00 17 00 00   kirbuchi.com....
00 23 00 b0 b7 5f 38 49 97 05 5d 33 b6 51 a3 0d   .#..._8I..]3.Q..
df ea b2 60 12 ee b3 5b 21 4e f1 7a 0e 4f 95 7c   ...`...[!N.z.O.|
...

And of course, it's in the certificate reply as well!

2e 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67   .letsencrypt.org
2f 30 29 06 03 55 1d 11 04 22 30 20 82 0c 6b 69   /0)..U..."0 ..ki
72 62 75 63 68 69 2e 63 6f 6d 82 10 77 77 77 2e   rbuchi.com..www.
6b 69 72 62 75 63 68 69 2e 63 6f 6d 30 81 fe 06   kirbuchi.com0...
03 55 1d 20 04 81 f6 30 81 f3 30 08 06 06 67 81   .U. ...0..0...g.
0c 01 02 01 30 81 e6 06 0b 2b 06 01 04 01 82 df   ....0....+......
13 01 01 01 30 81 d6 30 26 06 08 2b 06 01 05 05   ....0..0&..+....

Sources