Overview#Encrypted Server Name Indication (ENSI) is an Internet Draft titled "Encrypted Server Name Indication for TLS 1.3"
TLS 1.3 RFC 8446 encrypts most of the handshake, including the server certificate, there are several other channels that allow an on-path attacker to determine the DNS Domain the client is trying to connect to, including:
- Cleartext client DNS queries.
- Visible server IP Addresses, assuming the the server is not doing domain-based virtual hosting.
- Cleartext Encrypted Server Name Indication (SNI) RFC 6066 in ClientHello messages.
Issues and Requirements for SNI Encryption in TLS Internet Draft describes the general problem of encrypting the Server Name Indication (SNI) TLS parameter. The proposed solutions hide a Hidden Service behind a fronting service, only disclosing the SNI of the fronting service to external observers. The draft lists known attacks against SNI encryption, discusses the current "co-tenancy fronting" solution, and presents requirements for future TLS layer solutions.