> On Feb 7, 2017, at 11:12 AM, Ben Schwartz <[email protected]> wrote:
>
> Like a lot of people here, I'm very interested in ways to reduce the leakage
> of users' destinations in the ClientHello's cleartext SNI. It seems like the
> past and current proposals to fix the leak are pretty difficult, involving a
> lot of careful cryptography and changes to clients and servers.
>
> While we're trying to figure that out, I think there's a simple trick that
> could help a lot: just let domain owners tell users an alternate SNI in a DNS
> entry.
>
> Here's the full draft:
> https://tools.ietf.org/html/draft-schwartz-dns-sni-00
>
> If you just want to glance at it, I recommend Figure 2.
>
> Please read and critique! This is a starting point; the contents will change
> based on your input.
Instead of looking for a kludgey replacement SNI in DNS (that won't get
deployed,
and provides rather weak obfuscation) it seems more sensible to publish keys in
DNS that make it possible to encrypt the entire client HELLO, SNI and all.
I do not think that the proposed SNI in DNS is worth doing.
--
Viktor.
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
