[as an individual] On 9/7/18 6:48 PM, Erica Portnoy wrote:
If someone's in a position to watch traffic going *from* a server trying to authenticate, they can certainly watch traffic going *to* that server, and note the various domain names being hosted on that server (since no encrypted sni :( ). And they could almost certainly get that same information from a reverse DNS, as well.
There's a lot of "probably" here (which I would cast as "maybe"). The prevalence of shared hosting providers makes SNI correlation significantly less problematic than information gained by trolling ACME servers under the current design. It's also worth noting that the TLS working group is working on approaches to encrypt SNI.
I think you're also overestimating the utility of reverse DNS on the Internet today. Just grabbing the first thing I find in a tcpdump on my network:
$ dig +short api.ambientweather.com 67.195.197.76 $ dig +short -x 67.195.197.76 p11ats-i.geo.vip.bf1.yahoo.com.
You can't use precisely that method for phone numbers and contact email addresses, to be sure.
And that's where the most serious damage comes into play. /a _______________________________________________ Acme mailing list Acme@ietf.org https://www.ietf.org/mailman/listinfo/acme
