CloudFlare has implemented support for Encrypted SNI

    On September 24, CloudFlare announced support for the TLS 1.3 Encrypted SNI extension.

    image

    Benefits of ESNI

    • No one sees which domain you are accessing. All that the provider knows is only the IP address you are accessing.
    • Domain Fronting is not needed.

    How ESNI works

    In today's Internet, many different domains can be located on the same IP address. To provide you with a valid certificate, the server needs to know which domain you are applying to. Therefore, the hostname is transmitted in clear text before the TLS session is established.

    The operation scheme of SNI

    image

    ESNI encrypts this part of the client’s communication with the server. The client takes the server's public key from DNS and encrypts all data with it until the TLS session is established.

    The scheme of ESNI ENSI

    image

    fly in the ointment

    is highly dependent on DNS. So much so that with the current implementation of DNS (plain text), put the DPI on the DNS protocol and block all the fields with the public keys of the servers. This problem is fixable only by a massive migration to DNSSEC or DNS over HTTPS. Judging by the Chrome developers blog , this transition is just around the corner.

    ESNI must be supported by browsers. So far with the support is not very.

    What do we get from this?

    Internet censorship is much more complicated. Now most locks occur by DNS names. All these locks will stop working. Only blocking DNS queries or IP addresses will remain.

    Blocking DNS queries will stop working after enabling the default DNS over HTTPS in standard browsers. And there will be only one possibility to block by IP addresses. You can block either DNS servers or unwanted sites.

    Blocking by IP addresses is for very brave people. One blocking can hook a lot of uncomplicated domains and there is no adequate way to check in advance exactly who will hook. A blocked service can in a couple of clicks, and indeed automatically, change the address to not blocked. Its users will not even notice anything.

    Total

    Life will be a little better. But not now. To full support ESNI still need to take a few steps.

    Links

    You can check your browser for TLS 1.3, ESNI support and DNS encryption here .

    Also popular now: