Sujet : Re: [LINK] Calling time on DNSSEC?
De : gtaylor (at) *nospam* tnetconsulting.net (Grant Taylor)
Groupes : comp.miscDate : 04. Dec 2024, 02:37:46
Autres entêtes
Organisation : TNet Consulting
Message-ID : <viobpa$s79$2@tncsrv09.home.tnetconsulting.net>
References : 1 2 3 4 5 6
User-Agent : Mozilla Thunderbird
On 12/3/24 00:14, Lawrence D'Oliveiro wrote:
Nobody uses PKI.
Um.... I think I'm one of many, Many, MANY people that will have to disagree with you on hat one.
TLS has a hole in it, in that the SNI, “Server Name Indication” (the “Host:” line in the HTTP request header) has to be sent unencrypted.
Two flags on the play:
1) Encrypted SNI is a thing.
2) "the "Host:" line in the HTTP request header" is *NOT* the SNI. The Host: header is part of the HTTP request that's inside of the TLS connection.
The SNI hello message does include something similar, but it's not the Host: header. And there's also ESNI to protect it.
This allows eavesdroppers, like authoritarian Government regimes, to determine when you are trying to access a prohibited service, and block it before the encrypted connection can be set up.
Those are examples of the very things that ESNI is designed to defend against.
Link - What is encrypted SNI? | How ESNI works | Cloudflare
-
https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/ECH also looks promising.
-- Grant. . . .
[LINK] Calling time on DNSSEC?
Re: [LINK] Calling time on DNSSEC?