On 7 Feb 2017, at 18:12, Ben Schwartz wrote:
> Hi TLS,
>
> Like a lot of people here, I'm very interested in ways to reduce the leakage
> of users' destinations in the ClientHello's cleartext SNI. It seems like the
> past and current proposals to fix the leak are pretty difficult, involving
>The examples section says
> A host that serves many subdomains with a single wildcard certificate
> could set the SNI of all subdomains to the same fixed subdomain, in
> order to prevent a passive adversary from learning which subdomain a
> user is accessing.
> I think that's a worthwhil
On 2/7/2017 9:11 AM, Ben Schwartz wrote:
> ...
>
> I proposed to treat IPv4 and IPv6 separately because a "dual stack"
> domain owner might reasonably have very different configurations for
> their IPv4 and IPv6 servers. For example, a domain owner might use
> shared hosting for IPv4, but assign
I read the doc. I’m a little dumb, but I think a more expanded ladder diagram
for Figure 2 would have helped me.
The basic process is query DNS, get the SNI record value, and use that as the
SNI value when connecting to the domain, right? But I’m not sure of the
interaction of CNAME entries he
On Tue, Feb 07, 2017 at 11:12:12AM -0500, Ben Schwartz wrote:
> Hi TLS,
>
> Like a lot of people here, I'm very interested in ways to reduce the
> leakage of users' destinations in the ClientHello's cleartext SNI. It
> seems like the past and current proposals to fix the leak are pretty
> difficu