Overview#
Encrypted Server Name Indication (ENSI) is an Internet Draft titled "Encrypted Server Name Indication for TLS 1.3"Encrypted Server Name Indication is a method to provide Encryption for Server Name Indication (SNI)
TLS 1.3 RFC 8446 encrypts most of the handshake, including the server certificate, there are several other channels that allow an on-path attacker to determine the DNS Domain the client is trying to connect to, including:
- Cleartext client DNS queries.
- Visible server IP Addresses, assuming the the server is not doing domain-based virtual hosting.
- Cleartext Encrypted Server Name Indication (SNI) RFC 6066 in ClientHello messages.
Issues and Requirements for SNI Encryption in TLS Internet Draft describes the general problem of encrypting the Server Name Indication (SNI) TLS parameter. The proposed solutions hide a Hidden Service behind a fronting service, only disclosing the SNI of the fronting service to external observers. The draft lists known attacks against SNI encryption, discusses the current "co-tenancy fronting" solution, and presents requirements for future TLS layer solutions.
More Information#
There might be more information for this subject on one of the following:- [#1] - Encrypted Server Name Indication for TLS 1.3
- based on information obtained 2020-01-11
- [#2] - Encrypt it or lose it: how encrypted SNI works - based on information obtained 2020-01-11
