In the course held at the IETF meeting 102 of the hackathon programmers from companies, Mozilla, Cloudflare, Fastly, and Apple has developed a new TLS extension ESNI (Encrypted Server Name Indication) that allows to pass the name of the requested host in encrypted form.

ESNI is an improved version of the SNI, is designed to provide multiple HTTPS sites on one IP address. In the SNI hostname in cleartext is sent in the ClientHello message under the connection agreement, as the transfer is made to setup an encrypted connection.

This feature of the SNI allows to simplify the organization of processing of requests to HTTP servers and use a proxy and a CDN network to redirect traffic, but in this case, the information may be disclosed to an outside observer, for example, the Internet service provider. Thus, the feature can be used to analyze the requested sites and selective filtering of traffic.

In the new algorithm the hostname is transmitted in encrypted form. Data protected by cryptographic keys that only the server and the client. In addition, the extension provides the function of concealing the treatment to the DNS server using DNS Protocol-over-HTTPS or DNS-over-TLS.

Currently support ESNI implemented in libraries BoringSSL (Chromium), NSS (Firefox) and picotls (used in the HTTP server in H2O).


Please enter your comment!
Please enter your name here