On 05/10/2017 02:12 PM, Christian Huitema wrote: > > On 5/10/2017 12:04 PM, Viktor Dukhovni wrote: >>> On May 10, 2017, at 2:47 PM, Hubert Kario <hka...@redhat.com> wrote: >>> >>> But in general, I wonder if we didn't approach the SNI from the wrong side >>> - >>> as I said, we may not need to encrypt it, we just make sure that client and >>> server agree on the virtual host the connection is going to. >> They can do that with a name in the clear. If the name is to be hidden >> from passive observers, then you do need encryption so that only the >> client and server, and not the passive observers, can recover the name. >> >> Encryption means key agreement, and requires delaying SNI by a round-trip, >> or having published DH shares in DNS, which of course also needs privacy >> protection for SNI encryption to matter. >> >> I do believe this was discussed at some length previously. > It certainly was. But then the clear text SNI is a gaping privacy hole > in TLS, the kind of issue that should keep us awake at night until it is > resolved. We need to make sure that we make progress, rather than rehash > the old arguments. Maybe we should invest some time and document the > various proposals in a draft. I am willing to work on that. Any other > volunteers? >
It seems like there are a number of ways to encrypt the SNI for the *second* (and subsequent) exchange with a given server; I have one that I have some notes on and might try to write up. But do we think that's worth doing, or do we want to also provide protection for the initial contact? It seems like there is a qualitative difference, there... -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
