Martin Rex wrote: > Salz, Rich wrote: > > > > At the TLS interim earlier this week, Brian Sniffen (from Akamai) started > > a proposal that makes SNI-encryption something that can be deployed and > > tested on the Internet in TLS 1.3. So we'll see if it gets used and works. > > The earlier slides notwithstanding, it's something we > > (those of us at Akamai) would really like to see. > > I haven't been tracking the TLSv1.3 proposals -- but whatever you do > in the area of encrypted SNI, please ensure that padding *WILL* be used, > so that two encrypted server names, that happend to differ by length, > will not remain easily distinguishable.
Because it is not necessarily immediately obvious, you will need padding also for the Server Certificate handshake messages. And, because the key exchange is side-effected by properties of the Server Certificate, you may additionally need padding for the ServerKeyExchange and ClientKeyExchange handshake messages, so that the protocol doesn't leak of one of the service uses an RSA certificate and the other uses an ECDSA (or EdDSA) certificate. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
