DNS and SSL - flawed proposal?
So how exactly do the politicians think this will work? As far as I can see:
1. HTTP 1.1 requires the host header field inside the request
2. HTTPS (SSL) connections encrypt the request and response
Therefore a typical user, starting with Google:
a. User visits www.google.com. Telco record this.
b. Google redirects to SSL connection. Now all traffic is encrypted.
c. User clicks on Google link. If link is non-HTTPS then client does DNS lookup and then connects to site. Telco could record DNS look-up and/or HTTP connection request.
d. However, if link itself is HTTPS then client PC does DNS lookup as before and then connects to HTTPS site. Telco could still record DNS look-up but can no longer see contents of request.
Conclusion: Once inside the SSL "bubble" only the DNS requests record user browser activity. There is nothing to gain from inspecting HTTP request headers if they are encrypted. This leads to some conclusions:
a. The only way to implement this is to record DNS requests. There are a *LOT* more DNS requests from each client than just generated by the browser. For instance this will record access to every other service.
b. A user could circumvent this by using an offshore DNS provider (e.g. Google)
c. This proposal is technically flawed.
NB: I have excluded that links Google displays are actually back to Google and then they redirect to target site. This detail allows Google to track but doesn't alter the above analysis.
HTTP Host header by spec.
Biting the hand that feeds IT
