Network middle-boxes often classify the traffic flows on the Internet to
perform traffic management or discriminate one traffic against the other. As
the widespread adoption of HTTPS protocol has made it difficult to classify the
traffic looking into the content field, one of the fields the middle-boxes look
for is Server Name Indicator (SNI), which goes in plain text. SNI field
contains information about the host and can, in turn, reveal the type of
traffic. This paper presents a method to mask the server host identity by
encrypting the SNI. We develop a simple method that completes the SSL/TLS
connection establishment over two handshakes – the first handshake establishes
a secure channel without sharing SNI information, and the second handshake
shares the encrypted SNI. Our method makes it mandatory for fronting servers to
always accept the handshake request without the SNI and respond with a valid
SSL certificate.

As there is no modification in already proven SSL/TLS encryption mechanism
and processing of handshake messages, the new method enjoys all security
benefits of existing secure channel establishment and needs no modification in
existing routers/middle-boxes. Using customized client-server over the live
Internet, we demonstrate the feasibility of our method. Moreover, the impact
analysis shows that the method adheres to almost all SSL/TLS related Internet
standards requirements.

By admin