top | item 17539428

(no title)

tscs37 | 7 years ago

This is sorta it. SNI is the only unecrypted part that leaks the server hostname. CN/SAN blocking usually has a middlebox that decrypts the connections so there is nothing to be done here.

If somebody can MitM your encrypted connection to both server and DNS, encrypted SNI stops working to my understanding.

discuss

Buge|7 years ago

Encrypted SNI is about protecting you from people who aren't in your list of trusted CAs.

If someone is in your trusted CA list, why do you want protection from them? If you want protection from them, remove them from your list of trusted CAs.

est|7 years ago

IIRC after ServerHello the cert was given to client in clear text.

geertj|7 years ago

This changed in TLS 1.3. The server cert is now encrypted.

namibj|7 years ago

No more.