Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

Viktor Dukhovni <> Fri, 28 August 2015 16:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 037751A1B8B for <>; Fri, 28 Aug 2015 09:22:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rs0Lhb5Jbkp0 for <>; Fri, 28 Aug 2015 09:22:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3DB931A1B88 for <>; Fri, 28 Aug 2015 09:22:53 -0700 (PDT)
Received: by (Postfix, from userid 1034) id 1BE33284D24; Fri, 28 Aug 2015 16:22:52 +0000 (UTC)
Date: Fri, 28 Aug 2015 16:22:52 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Aug 2015 16:22:55 -0000

On Fri, Aug 28, 2015 at 12:13:03PM -0400, Dave Garrett wrote:

> The idea I had the other day is that we can technically do SNI encryption
> with the current TLS 1.3 draft, as-is. All that needs to really be done
> is stick it in a 0-RTT EncryptedExtensions, preferably only when the server
> specifies that it is allowed via adding a flag to server config. This
> would require the actual server share the 0-RTT DH key across the virtual
> servers it's picking via SNI, so early data probably should be off in this
> instance for many use-cases.

So the client would now need to cache some session data by transport
address, and other data by name and port.  That's rather complex.
And how often will the same client visit multiple servers at the
same transport address?

I don't really see this as viable or worth the effort.

> I don't think encrypted SNI to servers without any prior information is
> really that viable, and that's been said before by others on this list.

I don't think SNI hiding is viable without encryption at the
transport or network layers.  And there's still a metadata leak
via DNS which may prove difficult to address.