On Tue, Nov 12, 2013 at 5:16 PM, Martin Thomson <[email protected]>wrote:
> On 12 November 2013 08:12, Ted Hardie <[email protected]> wrote: > > The DNS query tells you which resource was the target even if the HTTP > flow > > was protected by TLS. > > In practice, since server name indication is sent in the clear, even > this doesn't help. Unless you are running a browser from 2001, you > are sending SNI. > > That said, SNI may be pushed into an encrypted payload in TLS 1.3. > The challenge there is that servers often use SNI to select what > credentials to offer. > True; I'd been thinking about the blogspot-style use cases where you get an initial negotiation at one name followed by a large set of alternate names, but that's not the common case. The VPN case is still an issue, though. Having read through the rest of the thread, pushing SNI into the encrypted portion of TLS in 1.3 seems like a good thing to do. Ted
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
