On Nov 13, 2013, at 4:48 AM, Ted Lemon <[email protected]> wrote: > On Nov 12, 2013, at 8:32 PM, Stephen Farrell <[email protected]> > wrote: >> The converse argument was just made on the TLS list yesterday to >> the effect that there's no point in TLS 1.3 (or a TLS 1.2 extension) >> encrypting SNI because its the same as the obviously cleartext DNS >> query in many cases. > > That's a terrible argument. Then every eavesdropping issue becomes a > chicken-and-egg problem, because nobody is willing to go first.
I'm one of those that made that argument. I do think we should fix this in TLS, but realistically, browsers are going to continue sending SNI in the clear for at least another 10 years. Yes, we should fix this now, because whenever we start, that's when the 10-year countdown begins. The same is true for any modification to DNS, except the timeframe is likely to be even longer. Yoav [1] http://www.ietf.org/mail-archive/web/tls/current/msg10555.html _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
