Hi folks, I just submitted:
https://tools.ietf.org/html/draft-rescorla-tls-esni-00 This draft describes a DNS-based approach to doing encrypted SNI. Previously, we had thought this wouldn't work because only sites that were particularly vulnerable would do it, and so the use of ESNI marks you out. The idea behind this draft is that there are a lot of sites which are hosted by -- and whose DNS is run by -- a large provider, and that provider can shift many if not all of its sites to ESNI at once, thus removing the "standing out" issue and making a DNS-based approach practical. I am working on an implementation for NSS/Firefox and I know some others are working on their own implementations, so hopefully we can do some interop in Montreal. This is at a pretty early stage, so comments, questions, defect reports welcome. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
