Re: DNS and SSL - flawed proposal?
> Would the original post be the case if SNI were disabled?
Yes, if SNI were disabled you'd be reliant on DNS.
However, the reason SNI was introduced was because you needed a dedicated IPv4 address to bind a HTTPS service to if you wanted to avoid certificate warnings (without SNI, the server doesn't know which service you want until it get's the Host header, which is after the TLS handshake - so will serve it's default, which probably won't match the FQDN you're after).
If you're thinking of disabling SNI, you'd probably be opening yourself up to other risks. A lot of HTTPS sites would become inaccessible to you, in the sense they'll give certificate warnings. Being in a position where sites are expected to give warnings vastly increases the work you need to do to verify a cert you've received is genuine and valid and not the result of someone MITM'ng you.
You may also experience some issues with sites that use cert stapling :)
Biting the hand that feeds IT
