Cloudflare Now Offer Better Privacy by SNI Encryption During TLS Negotiation

26 Sep

Cloudflare will now be supporting “Encrypted Server Name Indication” so that users browsing activities becomes more safe. With this mechanism, it is will be difficult to trace browsing activities of users. A single webserver can host so many websites and all of them share the same external IP address. The resources are divided amount multiple domains. This is called Virtual hosting. The “Server Name Indication” is the part of TLS protocol which is used by server to give different TLS certificates. It authorizes and protects the connection to websites behind the same IP address.  A program with SNI support contains the hostname to be reached. This happens at the beginning of the communication with the Server. This initial conversation in the TSL negotiation process occurs openly and it is exposed to every node in the way. Thus, an outside observer can track user and can influence the connection to websites that it doesn’t commiserate.

Encrypted Server Name Indication

With encrypted “Server Name Indication”, there is no risk of destination name leakage. At present, the encrypted SNI (ESNI) is in its early phase and currently it is available as an experimental design. The TSL protocol version 1.3 and above support the issue of Website certificate via encrypted part of TSL handshake. The server issues the public key on Domain Name System (DNS) record that could be seen to the client before the connection establishment. The client encrypts the SNI for protected transit and then decrypt at the destination.

Caring Vulnerable Ends

It is true that ESNI protects the client destination however the DNS queries for the website IP address are in plain text and it can be traced and visible over network. So in order to fix the issue, Cloudflare is supporting DNS to TLS (DoT) and DNS over HTTPS (DoH) and using it with its own DNS resolving service. This way, the DNS queries will be protected from third-party through encryption. The support for DNSSEC protects cache damage by thoroughly verifying the response between Cloudflare authoritative severe and its resolver.

Leave a Reply