Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SNI encryption #1

Closed
martinthomson opened this issue Apr 17, 2014 · 4 comments
Closed

SNI encryption #1

martinthomson opened this issue Apr 17, 2014 · 4 comments
Labels
parked

Comments

@martinthomson
Copy link
Contributor

Server Name Indication could be encrypted to protect it from being inspected by passive attackers. There are some virtual-hosting type situations where hiding this information is considered desirable. If we can encrypt SNI, then it is probably trivial to encrypt other extensions.

However, this complicates the handshake. A lot. It also complicates virtual-hosting scenarios. Rich summarizes the issues pretty well here: http://www.ietf.org/mail-archive/web/tls/current/msg11823.html
ekr pushed a commit that referenced this issue Sep 23, 2015
@martinthomson
Merge pull request #1 from davegarrett/patch-2
7fc355c 
make note more concise
ekr pushed a commit that referenced this issue Mar 20, 2016
@equalsJeffH
Merge pull request #1 from tlswg/master
f95615e 
fetching upstream
ekr added a commit that referenced this issue May 20, 2016
@ekr
MT, Garrett's comments, #1
98e71bf
@ekr ekr added parked and removed discuss-seattle labels Jul 8, 2016
@ekr ekr mentioned this issue Jul 13, 2016
Closed
ekr pushed a commit that referenced this issue Aug 13, 2016
@wbl
Merge pull request #1 from tlswg/master
28c9429 
Update
@brainhub brainhub mentioned this issue Nov 28, 2016
Closed
@leonklingele
Copy link
Contributor

Is this already ruled-out? How could the SNI be encrypted without an addition RTT?

One could hash the SNI in the Client Hello which would at least help if the served host name is not publicly known (e.g. using a self-signed certificate).

@kaduk
Copy link
Contributor

kaduk commented Mar 3, 2017

It seems likely that there will eventually be an (optional?) extension that permits an encrypted "real" SNI, with some fake public SNI. But maybe that is not what you are asking.

@ekr ekr mentioned this issue Mar 7, 2017
Merged
@ekr ekr closed this as completed Apr 16, 2017
@leonklingele
Copy link
Contributor

@ekr why was this closed?

@ekr
Copy link
Contributor

ekr commented Apr 17, 2017

Because we are not going to do anything about it in the base specification.

@HLFH HLFH mentioned this issue Dec 9, 2017
Closed
@chris-wood chris-wood mentioned this issue Feb 16, 2018
Closed
@seanturner seanturner mentioned this issue Mar 7, 2018
Merged
ekr pushed a commit that referenced this issue Feb 14, 2025
@loganaden
Merge pull request #1 from cyberstormdotmu/loganaden-contributors-pr
63e5793 
Update contributors list.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
parked
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@martinthomson @ekr @kaduk @leonklingele