What does SSL/TLS reveal about your session

The common understanding is that by using SSL/TLS your web browsing session will be entirely private. This is not entirely true.

Some data will have to be revealed in clear text before encryption can start.

The client will have to reveal the domain name is trying to reach.

Server Name Indication field assists virtually hosted webserver in identifying the intended websites that the client wishes to visit

Also, the server will be sending its certificate back in clear text with all its meta data readable off the wire.

This can be a problem in the following scenarios:

  • If someone intercepting data at your ISP level or somewhere in the upstream can see what websites you’re browsing (URLs will not be known though)
  • If you are browsing to less known websites, then your activity may raise an alarm
  • When using OpenVPN, you need to choose your hostname and certificate details very carefully. The more unique your settings, the easier your traffic can be picked up in the haystack (even if you keep cycling your IP addresses)

For the last point (OpenVPN or any SSL based VPN), if anonymity is one of your objectives., it’s worth selecting the default values while building your OpenSSL certificates.

ssl anonymity