My understanding of HTTPS is that the initial server communication has the authority sent in plaintext while the remainder of the communication is encrypted, eg https://example.com/foo?bar=baz will have example.com (or at least its IP) visible as plaintext while the subpath and query will be encrypted. I'm interested in detecting a potential risk that might occur if a request is locally changed to point to a different authority whose server forwards the request as-is to a different URL. Here's an example of what I'd like to detect:
- Normal request URL: www.example.com/foo
- Attacker overrides URL locally to point to my.server.com/foo with duplicated public key for www.example.com
- Attacker owned my.server.com redirects all traffic to www.example.com
- Attacker can now distinguish communication to www.example.com/foo from other communication to www.example.com
I'd like to be able to detect this being done server-side and am wondering if the encrypted block of the TLS request has any information on what authority the request was made to or if this would need to be additional information manually included in the request.
