[meritt]

How would proper SNI prevent this approach or how is it different? Doesn't this just connect to a given IP and issue a request for the target domain?

[Avamander]

Curryfinger seems to work by querying Shodan and other scanners. Those scanners seem to work by just connecting to an IP address's port 443 and look at the certificate. If you always require correct SNI (the domain you host) then that scanning stops working (you literally disappear from Shodan for example). The fix (to scanners) would be to try and resolve every domain name you know of or scan every IP with every domain name you know, that's unfeasible. Only replying to correct SNI is not a defense mechanism by itself, but it does make it more difficult for attackers.

[tbiehn]

It turns out that if you have a targeted domain you have a good chance of finding it in one of the popular cloud hosting ranges. Masscan + curryfinger work well together. Alexatop + masscan + curryfinger makes an interesting dataset.

[achillean]

Shodan also scans via domains to identify the proper certificate for websites that require a valid SNI.

[tbiehn]

Interesting, some results out of Shodan were surprising - this might be the reason. How do you pick what domains to try?

[achillean]

Btw you can also see the info we have for a domain using our DNSDB. For example, if you have the latest version of our CLI:

shodan domain uber.com

[achillean]

We have a database of 400+ million hostnames that we scan each month.

[tbiehn]

So if a host supports SNI you send it 400+mil requests? C'mon, dish.

[Avamander]

I haven't seen that, maybe if you manually request a scan, then.