It can. The domain name is not sent in the clear in an HTTPS request. Instead, t... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		goldbrick on Feb 10, 2016 \| parent \| context \| favorite \| on: Show HN: Deepstream.io – open-source real-time ser... It can. The domain name is not sent in the clear in an HTTPS request. Instead, the connection is opened against the IP address and the domain name is moved to a Host: header which is encrypted.

esailija on Feb 10, 2016 [–]

SNI sends the server name in plain text

goldbrick on Feb 10, 2016 | | [–]

Correct (I considered explaining SNI but ultimately didn't bother), and a determined attacker could probably figure out a large number of the sites you visit by the IP as well.

orthecreedence on Feb 10, 2016 | | [–]

Right, and even still it's pretty trivial to reverse a domain from an IP address in most cases.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact