James

ESNI - Encrypted SNI

Recommended Posts

Server Name Indication (SNI) transmits a virtual domain name during the TLS negotiation process so that a server with a single IP address can support multiple virtual domains, instead of requiring a unique IP address for each TLS host. SNI does not conceal the requested hostname so it can be used for network filtering which is a privacy concern.

ESNI - Encrypted SNI - replaces the server name in the ClientHello message with an encrypted equivalent. It is placed in the DNS records as a TXT record. It has a checksum which uses the first 4 octets of the SHA-256 message digest, padding, and a validity period. However the specifications suggest the expiry date should not be used for caching to allow servers to rotate the encryption keys.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.