Once the connection is MitM'd, the certificate validation would fail, since the ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		cesarb on March 29, 2017 \| parent \| context \| favorite \| on: The House just voted to wipe out the FCC’s landmar... Once the connection is MitM'd, the certificate validation would fail, since the MitM host cannot sign the "hash of everything that's been exchanged in this connection so far" with the correct server certificate. So the MitM would have to choose between either learning the domain name but failing the connection, or letting the connection pass but not learning the domain name.

openasocket on March 29, 2017 [–]

Darn, that right. I guess I fall back to my other answer then: the ISP can always get the domain name from the server ip address and reverse or passive DNS, and there's nothing you can do about that.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact