undefined | Better HN

0 pointsquesera10y ago0 comments

> I'm not sure how much hiding the SNI would get you in terms of privacy. You could always just look at the destination IP address of the packet.

Destination IP will be the same for all sites on the server, SNI tells you exactly which site was asked for. Not meaning to be pedantic, sometimes the distinction isn't clear.

But in order to encrypt the SNI name, you'd first need to verify a certificate tied to a bare IP address. You'd also need to trust DNS completely. RTT would inflate significantly.

The CA system is a mess, but DNS is worse. Tying certs to bare IPs would create a deployment nightmare as well.

SNI is imperfect, but it is a big improvement over the previous status quo, which was single-IP per https host, which obviously did nothing to obscure the site hostname either.

0 comments

jimktrains210y ago

> But in order to encrypt the SNI name, you'd first need to verify a certificate tied to a bare IP address.

Why wouldn't a DH exchange be enough?

queseraOP10y ago

You're right, DH might be enough, depending on goals.

The DH exchange would be MITMable, but not passively collectable. TLS is (ideally) neither, so DH wouldn't provide an equal level of privacy.

Still, it would be a beneficial extension of the protocol. At the cost of an additional TCP RT.

jimktrains210y ago

Right, however, the MITM attack would also come at the cost of causing the rest of the connection to fail. You could also do fun stuff like sending the sha256-mac of the hostname using the DH key as the MAC key. There are lots of fun ideas!

j / k navigate · click thread line to collapse

0 pointsquesera10y ago0 comments

> I'm not sure how much hiding the SNI would get you in terms of privacy. You could always just look at the destination IP address of the packet.

Destination IP will be the same for all sites on the server, SNI tells you exactly which site was asked for. Not meaning to be pedantic, sometimes the distinction isn't clear.

But in order to encrypt the SNI name, you'd first need to verify a certificate tied to a bare IP address. You'd also need to trust DNS completely. RTT would inflate significantly.

The CA system is a mess, but DNS is worse. Tying certs to bare IPs would create a deployment nightmare as well.

SNI is imperfect, but it is a big improvement over the previous status quo, which was single-IP per https host, which obviously did nothing to obscure the site hostname either.

0 comments

jimktrains210y ago

> But in order to encrypt the SNI name, you'd first need to verify a certificate tied to a bare IP address.

Why wouldn't a DH exchange be enough?

queseraOP10y ago

You're right, DH might be enough, depending on goals.

The DH exchange would be MITMable, but not passively collectable. TLS is (ideally) neither, so DH wouldn't provide an equal level of privacy.

Still, it would be a beneficial extension of the protocol. At the cost of an additional TCP RT.

jimktrains210y ago

j / k navigate · click thread line to collapse