Encrypting SNI

Rafale

just found this blog post
Encrypting SNI: Fixing One of the Core Internet Bugs

the blog post says...
Later this week we expect Mozilla's Firefox to become the first browser to support the new protocol in their Nightly release. In the months to come, the plan is for it go mainstream. And it's not just Mozilla. There's been significant interest from all the major browser makers and I'm hopeful they'll all add support for ESNI over time.

Does Vivaldi have plans to support this ?

greybeard

@rafale With V's relationship with Cloudfare and their desire to create as secure a browser as possible I suspect they will try to get ESNI into V as soon as it becomes a part of the Chromium base.

For more info and a basic explanation as well as a link to Cloudfare's Technical Paper on ESNI please see the Naked Security post regarding this subject.

Rafale

@greybeard Thanks for the link. good read
Other than browsers, do websites also need to support ESNI in-order for this to work effectively ?

Rafale

Encrypted SNI Comes to Firefox Nightly

GBee

As nice as it will be to close the holes with unencrypted traffic this doesn't really solve very much at all. At the end of the day the snooper still knows which IP your requests are going to and therefore the vast majority of the time what site you are visiting. Sites using SNI tend to be closely related to other sites on that same server - usually subdomains of the main domain or domains owned by the same company, so even if I don't know that you visited abc.acme.net, I still know you visited an acme.net site. e.g. google.com isn't sharing servers with microsoft.com.

I would also expect adoption to be extremely low since it requires both generating the keys - this part could be handled automatically as part of the webserver setup and therefore causes minimal concern, but also publishing the public key in a DNS record which is something barely anyone except dedicated sysadmins, a few good shared hosting/CDN companies and enthusiastic hobbyists will bother to do. Just look at the pitifully low uptake of CAA records etc. TLS by default only really gained ground because of Let's Encrypt making the process as painless as possible, but scripts run on the webserver are not going to have access to change DNS records.