CloudFlare has implemented support for Encrypted SNI
On September 24, CloudFlare announced support for the TLS 1.3 Encrypted SNI extension.
Benefits of ESNI
')
How ESNI works
On the modern Internet, there can be many different domains on the same IP address. To provide you with a valid certificate, the server needs to know which domain you are applying to. Therefore, the hostname is transmitted in clear text before the TLS session is established.
SNI work pattern
ESNI encrypts this part of the client’s communication with the server. The client takes the server's public key from the DNS and encrypts all data with it until the TLS session is established.
ESNI work pattern
A spoon of tar
ENSI is heavily dependent on DNS. So much so that with the current implementation of DNS (plain text), put the DPI on the DNS protocol and block all fields with the public keys of the servers. This problem is only fixable by a massive migration to DNSSEC or DNS over HTTPS. Judging by the Chrome developers blog , this transition is just around the corner.
ESNI must be supported by browsers. So far with the support is not very.
What do we get from this?
Internet censorship is much more complicated. Now most locks occur by DNS names. All these locks will stop working. Only blocking DNS queries or IP addresses will remain.
Blocking DNS queries will stop working after enabling the default DNS over HTTPS in standard browsers. And there will be only one possibility to block by IP addresses. You can block either DNS servers or unwanted sites.
Blocking by IP addresses is for very brave people. One blocking can hook a lot of uncomplicated domains and there is no adequate way to check in advance exactly who will hook. And a blocked service can, in a couple of clicks, and indeed automatically, change the address to an unlocked one. Its users will not even notice anything.
Total
Life will be a little better. But not now. To full support ESNI still need to take a few steps.
Links
You can check your browser for TLS 1.3, ESNI support and DNS encryption here .
Benefits of ESNI
')
- No one sees which domain you are accessing. All that the provider knows is only the IP address you are accessing.
- Domain Fronting is not needed.
How ESNI works
On the modern Internet, there can be many different domains on the same IP address. To provide you with a valid certificate, the server needs to know which domain you are applying to. Therefore, the hostname is transmitted in clear text before the TLS session is established.
SNI work pattern
ESNI encrypts this part of the client’s communication with the server. The client takes the server's public key from the DNS and encrypts all data with it until the TLS session is established.
ESNI work pattern
A spoon of tar
ENSI is heavily dependent on DNS. So much so that with the current implementation of DNS (plain text), put the DPI on the DNS protocol and block all fields with the public keys of the servers. This problem is only fixable by a massive migration to DNSSEC or DNS over HTTPS. Judging by the Chrome developers blog , this transition is just around the corner.
ESNI must be supported by browsers. So far with the support is not very.
What do we get from this?
Internet censorship is much more complicated. Now most locks occur by DNS names. All these locks will stop working. Only blocking DNS queries or IP addresses will remain.
Blocking DNS queries will stop working after enabling the default DNS over HTTPS in standard browsers. And there will be only one possibility to block by IP addresses. You can block either DNS servers or unwanted sites.
Blocking by IP addresses is for very brave people. One blocking can hook a lot of uncomplicated domains and there is no adequate way to check in advance exactly who will hook. And a blocked service can, in a couple of clicks, and indeed automatically, change the address to an unlocked one. Its users will not even notice anything.
Total
Life will be a little better. But not now. To full support ESNI still need to take a few steps.
Links
You can check your browser for TLS 1.3, ESNI support and DNS encryption here .
Source: https://habr.com/ru/post/424857/
All Articles