Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I didn't know of the existence of SNI and thought that all traffic through TLS was encrypted. SNI sounds like a terrible idea: it should be obvious that leaking domain names will be abused and makes a mockery of any little cute icon in the browser (your government, police, ISP, airline knows what sites you visit). It would have been better to have a secure (ignoring DNS) inconvenient technology stack than a convenient somewhat-secure stack.


SNI is used extensively by the Russian government for censorship. All DPI circumvention tools are based on mangling the ClientHello enough to confuse the DPI box but not enough for the destination server to notice anything.


Before SNI every https site needed a dedicated IP address. As https got more popular SNI was introduced


TLS might encrypt the contents but it doesn’t encrypt the destination or source IP (how could it?)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: