Windows 10 News and info | Forum
May 24, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotation  (Read 99 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 30037

I Do Windows

WWW Email
« on: September 24, 2018, 02:54:25 PM »

Cloudflare announces today support for encrypted Server Name Indication, a mechanism that makes it more difficult to track user's browsing.

A web server can host multiple websites, with all of them sharing the same external IP address. This is possible through virtual hosting, a method that allows splitting the resources among available domain names.

Server Name Indication (SNI) is a component of the TLS protocol that makes it possible for a server to present different TLS certificates that validate and secure the connection to websites behind the same IP address.

An application with SNI support includes the hostname it is trying to reach the beginning of the handshake process with the server.

This initial conversation in the TLS negotiation process happens in the clear, exposed to every node along the way, allowing an observer to track users or to influence (block, slow down) the connection to websites it does not sympathize.

Enter Encrypted Server Name Indication

An encrypted SNI (ESNI) eliminates the risk of exposing the destination name. The ESNI specification is currently available as an experimental design, with a proposed draft set to expire on March 22. It is an extension to the TLS protocol version 1.3 and above, where there is support for delivering the website certificate through the encrypted part of the TLS handshake.

The mechanism works by having the server publish the public key on a Domain Name System (DNS) record that is visible to the client before establishing the connection.

The client can then use the key to encrypt the SNI bit so that it is protected in transit, and decrypted at the destination.

Cloudflare explains that the process for generating an encryption key over an untrusted channel uses the Diffie-Hellman key exchange algorithm.

Taking care of loose ends

Even if the ESNI protects the destination of the client, the DNS queries that ask for the IP address of the website are in plain text, hence visible over the network.

Cloudflare gradually adopted a series of technical solutions to get to the stage where it can offer increased privacy to users accessing websites on its infrastructure.

The company added support for DNS of TLS (DoT) and DNS over http (DoH) and combined it with its own DNS resolving service ( so that DNS queries are protected from private eyes through encryption.

Recent support for DNSSEC prevents cache poisoning at the resolver level by signing and verifying the responses exchanged between Cloudflare's authoritative server and its resolver.

The weak spot

Despite the benefits of encryption, an attacker can still see the target's destination IP address. This is an area where Cloudflare still has to make improvements.

"Some of our customers are protected by this to a certain degree thanks to the fact that many Cloudflare domains share the same sets of addresses, but this is not enough and more work is required to protect end users to a larger degree," Cloudflare explains in a post shared with BleepingComputer.

The company says that ESNI is enabled for all websites. Since the specification is not in its final stage of development, it is not widely available in client applications.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page May 03, 2019, 02:14:24 PM