As web users, what we say and do online is subject to pervasive surveillance. Although we typically associate online tracking with ad networks and other th
When you type in www.example.com, you request the IP of the server for that site using a DNS server. The DNS server sends you the IP and then you connect to it. If they are using https for DNS it means that your ISP or onlookers have to reverse which domain you’re accessing from that IP to know that you’re accessing www.example.com.
The problem doesn’t involve DNS, it’s after that step.
SNI is when your browser connects to the server. A server may host multiple sites on the same IP, so your browser says “I would like to open an encrypted session to lemmy.ml”. It does this in the clear. If it was an unencrypted http site it would be in headers, but in https those headers aren’t passed until after the encrypted session is set up, so there has to be some way for the server to know the specific site. Anybody listening to SNI traffic knows the exact site you connected to, even if there are hundreds at that ip.
This adds a public key to the DNS record, so your browser is able to encrypt that initial hello message before the https session is encrypted. Someone listening might see something like “ECH: randomgibberish” but the server can decrypt it.
When you type in www.example.com, you request the IP of the server for that site using a DNS server. The DNS server sends you the IP and then you connect to it. If they are using https for DNS it means that your ISP or onlookers have to reverse which domain you’re accessing from that IP to know that you’re accessing www.example.com.
At least I think that’s what is happening.
The problem doesn’t involve DNS, it’s after that step.
SNI is when your browser connects to the server. A server may host multiple sites on the same IP, so your browser says “I would like to open an encrypted session to lemmy.ml”. It does this in the clear. If it was an unencrypted http site it would be in headers, but in https those headers aren’t passed until after the encrypted session is set up, so there has to be some way for the server to know the specific site. Anybody listening to SNI traffic knows the exact site you connected to, even if there are hundreds at that ip.
This adds a public key to the DNS record, so your browser is able to encrypt that initial hello message before the https session is encrypted. Someone listening might see something like “ECH: randomgibberish” but the server can decrypt it.