On Wed, May 10, 2017 at 07:28:51PM +0200, Hubert Kario wrote: > Yes, encrypted SNI was discussed and ultimately rejected. > > But do we really have to send the literal value? Don't we need to just make > sure that the client and server agree on the host that the client wants to > connect? > > Couldn't we "encrypt" the SNI by hashing the host name with a salt, sending > the salt and the resulting hash, making the server calculate the same hash > with each of the virtual host names it supports and comparing with the client > provided value?
What makes encrypting SNI nasty is replay attacks. There also was proposal for putting SNI mapping into DNS (which limits the leakage if DNS lookups are private). However, I came up with a way to use that to attack HTTPS (the usual "default vhost" attacks). -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
