On 5/10/2017 2:40 PM, Roland Zink wrote: > The SNI extension is optional, so you don't have to send the literal > value. Indeed quite some number of apps do not send it. Browsers > currently can't know if the SNI is required by the origin servers and > usually send this, but there could be some signal to not send it. One > example could be a HTTP header to tell the browser that SNI should be > send and if it isn't present then no SNI is send. Unfortunately this > would break current sites but still it can be done the other way > around e.g. send a header to not send SNI.
Yes. But this is only possible when each service has a separate IP address. The privacy gain occurs precisely when several services share the same address, but that's exactly when the SNI is required. If the SNI was somehow encrypted, adversaries would not be able to use it to find which service the user is connecting to. -- Christian Huitema _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
