[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Cloudflare announces ESNI to decrease ISP's ability to know which sites you visit



https://blog.cloudflare.com/esni/

A follow-on to their launch of Cloudflare's 1.1.1.1 resolver network, and coming to Firefox nightly builds.  ESNI makes sure the site component of HTTPS requests are encrypted, not just the payload.

The blog post says they were motivated by the April 2017 repeal of restrictions of ISPs gathering customer browsing.  When you visit an https site, the server needs to know the name of the site before SSL/TLS negotiation can start (at least, on a server that has multiple hostnames on the same IP address), because that is how the server knows which certificate to utilize.  

ESNI goes beyond SNI (Server Name Indication), a 2003 IETF RFC.  The blog post talks about browser support.  It's not so clear what is required for Web servers and SSL certificates to make this work end-to-end for sites that are not hosted on Cloudflare.