By walterbell - 2 hours ago
Showing first level comment(s)
anticensor - a minute ago
ctz - 42 minutes ago
Crontab - 41 minutes ago
At the moment it is possible to MITM proxy (without the possibility decryption) to inspect the SNI and determine if the host is allowed, and if so the proxy does its own IP resolution and transparently proxies/forwards the TCP traffic. Ie it never engages in the TLS session. This is useful for restricting access from a LAN to services hosted on large cloud provides like AWS, GCP, etc where fixed IPs are not available (well, the third party service/website elects to use a CDN/load balancer/etc without regard to the full security impact).
A good example is PCI DSS and the payment card LAN. You should firewall and lock down so devices can only communicate with necessary services. Along with actual payment services, these LANs often need to allow access out to third party loyalty systems, digital receipt systems, etc that are cloud based.
With Encrypted SNI this won’t be possible to do securely anymore. A full MITM TLS decrypting proxy with explicitly configure clients will be required to ensure the encrypted SNI isn’t changed to a malicous host to eg upload captured payment data to. That’s a lot more overhead both in:
1. Configuring clients to use a proxy and custom CA (let’s hope all the various third parties apps support proxy setup and custom CAs, and no cert pinning!) 2. Running a proxy that now it has to do full decryption and encryption (to make sure you aren’t messing with the SNI and going to a host you shouldn’t).
Of course I don’t expect businesses to these lengths until there has been a serious breach exploiting encrypted SNI. Even then I don’t know which side will take action (or if neither side will)— merchants installing MITM proxies (unlikely), or third party service providers ditching load balancers and sticking to fixed IPs on their cloud hosts (less unlikely).
yardstick - 38 minutes ago
vbezhenar - an hour ago
RRRA - 23 minutes ago
This sounds inaccurate to me. If encrypted SNI is applied, the middleman should not be able to figure out which domain you are connecting to, without interrupting the connection. Domain fronting is a technique for prior TLS which you had to disguise the hostname.
ishitatsuyuki - an hour ago
phobosdeimos - 10 minutes ago
Isn't this (Encrypted SNI) was the one been extensively discussed here: https://news.ycombinator.com/item?id=17538390 ?
This is great. I hope CDNs like Cloudflare etc deploy it ASAP. Also, deprecate previous TLS versions as ASAP so it can be more effective.
rqs - an hour ago
Is there an official word from Microsoft that they allow it or just "they didn't ban it yet"?
Boulth - an hour ago