Jacob Appelbaum wrote: > On 12/2/15, Martin Rex <m...@sap.com> wrote: >> >> So your client will have to know a-priori, out-of-band or be configured >> to TLSv1.3-only in order to avoid using a TLSv1.2-compatible ClientHello >> with cleartext SNI. > > I think that is false. One could easily use the "cleartext" SNI field > and insert an encrypted value. A hash of the name would be a simple > example but not a secure example, of course.
No you can NOT do this (in TLSv1.2 and earlier), because it is entirely backwards-incompatible. Server-side SNI can even be implemented completely outside of the TLS protocol stack (that is how I implemented it). > > To the point about TLS 1.2 vs TLS 1.3: Legacy clients will be less > secure That is a myth. > > and in ways that will only become worse over time. We should > remember that TLS 1.3, while not yet finished or deployed, is a future > legacy protocol. TLSv1.3 is looking more and more like a future market failure to me, worse than IPv6. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
