I tried those commands using the hrw.org ip address and sure enough, with SNI I am getting Fortinet Certificate, without I am getting the legitimate one. I guess that settles the matter.
Thanks for all the great answers, I will have to do some reading and testing tomorrow. I knew about the possibillity of IP blocks, but I did not know about SNI, I will have to look into it.
As far as I now understand Forti* seems to be pretty advanced software, so I will see if I can get around it. I have my own cellular, I mostly want to know what they are doing behind the scenes.
Do I understand it correctly that they are deciding based on SNI/IP whether to let my packets through to the destination server - which provides me with an encrypted connection and the correct SSL Certificate such that they can not decrypt my data - or, in the case of a blocked site, reroute my packets to the Forti-Blockpage using the Forti Certificate such that I get a warning? So this is in essence completely decoupled from the DoH step, as at least one person commented.
I do not really have practical experience with networking apart from having ssh'd into a machine inside the same network a few times, so I might use my cellular to see whether its the firewall blocking me or my own stupidity.
What is the general practice on HN for updates, should I find some interesting results? Do I just post comments in this same thread?
> Do I understand it correctly that they are deciding based on SNI/IP whether to let my packets through to the destination server - which provides me with an encrypted connection and the correct SSL Certificate such that they can not decrypt my data - or, in the case of a blocked site, reroute my packets to the Forti-Blockpage using the Forti Certificate such that I get a warning? So this is in essence completely decoupled from the DoH step, as at least one person commented.
I believe this is all correct (I might have been one of the commenters who suggested parts of it).
A reason they might use IP address is that it's hard to circumvent (without going through a proxy, tunnel, VPN, etc.). A reason they might use SNI is that it works against CDNs and sites that might change IP address frequently.
In terms of the replies, you can log into your account and click the "threads" button at the top to see your own posts on HN and all replies to them. This is a common way to keep conversations going after a story is no longer on the front page.
In my experience some HN threads continue to have active discussion for up to a week after they're on the front page, and rarely much beyond that.
Oh, I am also not really sure if I can even ssh into my home network at all. So far I have not been to keen on screwing around with my parents router configuration, I might just have to do that to open the relevant ports.
The DoH server is just adguard, nothing fancy there.
In this case it is simply blocked by category of "Advocacy Organisations". I mostly find peoples reactions interesting when I tell them that my school blocks human rights watch, we are not in North Korea after all... I am more sad about the block of "uncategorized sites" which my own site that I recently set up sadly falls under :(.
