I am doing some work for a customer redoing their guest Wifi. They want to be able to rate-limit Youtube traffic. After I figuring out that Youtube is now using SSL, I realized that I wasn’t going to be able to use their Packeteer to do this.
As an experiment, I tried to do it on their Watchguard (XTM 11.9.1.x) on the off-chance that Watchguard has a trick that I am unaware. Amazingly, it works. Given that they are not doing any SSL inspections by forcing a certificate, I am not exactly sure how Watchguard is doing this, and I can’t find any info via Google.
The only way I can fathom is that they are using a process that resolves DNS and then limits the bandwidth to the underlying IP address for that session.
Just wondering if anyone has any insight.
SNI, Server Name Indicator, or CN, Common Name. Certificates can tell you a lot about where you are connecting to before the SSL/TLS connection is established:
BTW, Full Disclosure… I work at WatchGuard.
Without SSL inspections, usually content filters can make an educated guess about the site based on the SSL certificate that was sent (which it can read, just not the SSL encrypted contents that follow). Without any form off SSL decryption ability, it can still apply policy based on the CN and SAN of the certificate.
#####
######
####
Server Name Indication:
Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a [client](https://en.wikipedia.org/wiki/Client_(computing\)) indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other [Service](https://en.wikipedia.org/wiki/Server_(computing\)#Types_of_servers) over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.
^Interesting: ^HTTP ^Secure ^| ^Pound ^(networking) ^| ^Internet ^Information ^Services
^Parent ^commenter ^can [^toggle ^NSFW](/message/compose?to=autowikibot&subject=AutoWikibot NSFW toggle&message=%2Btoggle-nsfw+codcyaa) ^or [^delete](/message/compose?to=autowikibot&subject=AutoWikibot Deletion&message=%2Bdelete+codcyaa)^. ^Will ^also ^delete ^on ^comment ^score ^of ^-1 ^or ^less. ^| ^(FAQs) ^| ^Mods ^| ^Magic ^Words
I didn’t see closure on this thread. The original question was “how” was watchguard doing bandwidth limiting on an specific, youtube TLS connection. I get the SNI piece for initially identifying the target of the client request, but I don’t see how that allows you to subsequently manage that traffic given it’s all encrypted.