Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

Dave Garrett <> Fri, 28 August 2015 17:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 66FBD1B2E01 for <>; Fri, 28 Aug 2015 10:01:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id n279JNoB7bgL for <>; Fri, 28 Aug 2015 10:01:52 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 28A8C1B2DE7 for <>; Fri, 28 Aug 2015 10:01:52 -0700 (PDT)
Received: by qgi69 with SMTP id 69so3792148qgi.1 for <>; Fri, 28 Aug 2015 10:01:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=HvmYclU4RUZXkCJ76til8TERFjsBf/ZQcdaRMIErrd8=; b=w+MjuEUvsjs1bWilVuWaT2DCXu1SAFxxw9twCRRejXGanmnOwve+51hXf05tfJbL0q PA6mWttFAm+wsmBqFadzoBb2ltsXUygNVbEeby90COC2jhX0+pY9MqU0zEdiZCnO4L2x 2bRHXBQT32DNS2ndaSP1GgwKMizU01aVfmek/6vs3lUuLKhp421uJsuIuXl0F58Amm3t Byl967bhXOJjN0SnZ1cgQVGmbkAQOFM4T29viHxQ0FDDEYQ1Frozo08FqUGQjE/Gawqo i/74e0Ln0WTqfXm0daUchSw8ZFE4TORbSDa3yQv9G43SDtIdzznwB2FbfThGFmNEvJpT Ro7w==
X-Received: by with SMTP id 81mr18614849qhf.13.1440781311325; Fri, 28 Aug 2015 10:01:51 -0700 (PDT)
Received: from dave-laptop.localnet ( []) by with ESMTPSA id b16sm3804297qkj.1.2015. (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 28 Aug 2015 10:01:50 -0700 (PDT)
From: Dave Garrett <>
Date: Fri, 28 Aug 2015 13:01:49 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <>
Archived-At: <>
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Aug 2015 17:01:53 -0000

On Friday, August 28, 2015 12:33:31 pm Salz, Rich wrote:
> > And how often will the same client visit multiple servers at the same
> > transport address?
> Anyone who visits sites hosted by a CDN.  And, I suspect, many large portals.

How's it done with IPv6, generally? Are there setups where everyone is sharing a v6 IP? We could eventually get to the point where a reverse DNS lookup is all that's needed for everyone if things were set up smartly. Probably a better setup for things to work, but worse for passive surveillance. (though, IPv6 could eventually let clients randomize their IP frequently, which helps some things; getting off-topic here, though)

> > I don't really see this as viable or worth the effort.
> Agree.

I agree that it's a lot of effort for relatively little gain. I might be worth considering, but if the consensus is that TLS just isn't designed to do this easily enough to be worth it, then I don't really dispute a decision to just drop the concept.