•  Rikudou_Sage   ( @rikudou@lemmings.world ) 
    English
    269 months ago

    It is kinda big, previously you had to send the host unencrypted to support SNI which in turn was needed to support https for multiple sites per one IP address, which was needed because we lack IP addresses. So there were basically two options: compromise privacy a tiny bit (by sending host unencrypted), or make it impossible for most websites to have any privacy at all (by making it impossible to have a https certificate).

    Now you can have the best of both worlds. Granted, you need to have DoH (which still isn’t the default on most systems AFAIK), but it’s still a step in the right direction.

    •  Guillaume Rossolini   ( @GuillaumeRossolini@infosec.exchange ) 
      49 months ago

      @rikudou @voxel
      ASFAIR it used to be even worse than that, because if you didn’t want SNI (for compatibility reasons or whatever), but you still wanted a certificate, you had to have one server for every hostname (because each had its own IP), assuming you could afford the additional IP space

      Granted you didn’t need a physical server, but that was still a bigger cost

      Some servers are more flexible on that front, but early SNI didn’t have those

      •  Rikudou_Sage   ( @rikudou@lemmings.world ) 
        English
        29 months ago

        Yeah, I thought I implied that, but that was the reason SNI started - IPv4 is a scarce resource and thus expensive and the only way to host multiple https websites was having multiple IPs (not necessarily multiple servers, you can easily have multiple IPs for one server, you just had to bind one IP per host), which was adding to the costs quite a bit and hobby projects couldn’t really afford it (well, they could, but not many people are spending hundreds of dollars for a hobby website).

      •  Rikudou_Sage   ( @rikudou@lemmings.world ) 
        English
        19 months ago

        It’s happening as part of the handshake. Probably not completely what it’s about, but it was the first that came to my mind.

        Edit: It has to happen before the encryption is established, because otherwise the server doesn’t know which certificate to use, because it doesn’t know which host is the client requesting. There’s also ESNI (encrypted SNI) to solve this but I’m not sure on how many servers actually deploy it.

  •  JCpac   ( @JCpac@lemmy.today ) 
    109 months ago

    I don’t get it… How does this protect anything? If we want our packets to reach a web server, we need to write the server’s IP address on them. If a snooper has the IP, can’t they just lookup the domain name from a DNS server? Or is that not a service DNS provides?

    If the IP address is encrypted, how will the routers know where to send the packets? Only solution I can think of would be onion routing… Am I wrong??

    •  Domi   ( @domi@lemmy.secnd.me ) 
      229 months ago

      An IP address is no longer associated with just one website/domain name. There could be thousands of websites running on a single IP address.

      As is, anyone can currently look at your encrypted traffic and see in plain text which site you’re surfing to. So this proposal is long overdue.

    •  Danny M   ( @dannym@lemmy.escapebigtech.info ) 
      119 months ago

      somebody wiresharking your traffic can see the domain name you’re contacting even if you use https; this solves that.

      reverse DNS lookup does exist, but it’s not always accurate, especially when multiple websites are hosted on the same server (which is more common than you think)

      •  JCpac   ( @JCpac@lemmy.today ) 
        19 months ago

        Is it because of the “Host” HTTP header? I always thought it was optional, since the IP address and port were handled by the network and transport layers respectively. Turns out it’s required to resolve between different virtual hosts in the same server. Today I Remembered (TIR?) that virtual hosts are a thing…

        Is there anything else that might indicate the domain name in the handshake connection?

        •  Domi   ( @domi@lemmy.secnd.me ) 
          79 months ago

          Is there anything else that might indicate the domain name in the handshake connection?

          The SNI (Server Name Indication) happens before any HTTP communication and is done in plain text. It is needed because a single web server might host multiple websites, since each of them has their own certificate it needs to know which one to serve you.

          With the new proposal that SNI is now encrypted. It makes the difference between anyone listening in being able to tell “you visited lemmy.world” and “you visited something behind Cloudflare”.

  •  Boring   ( @Boring@lemmy.ml ) 
    69 months ago

    While this is good for survielience circumventing… It is looking like the beginning of the end of DNS filtering and the popularization of encrypted telemetry.

    •  Boring   ( @Boring@lemmy.ml ) 
      89 months ago

      DNS of HTTPS or TLS has been available for years, but it hasn’t been adopted widely because the hello at the beginning if the three way handshake when connecting to a website ratted you out to your ISP anyways.