[squid-users] Mozilla Devise Solution To Encrypting SNI
Alex Rousskov
rousskov at measurement-factory.com
Wed Jul 18 16:05:05 UTC 2018
On 07/18/2018 09:12 AM, joseph wrote:
> Encrypted SNI completely kills SSL Bump and all will follow that new SNI
> Encryption
> is there a hoop that start reworking adding this option to squid
>
> https://appuals.com/apple-cloudflare-fastly-and-mozilla-devise-solution-to-encrypting-sni/
I do not understand your question but hope that the following info may
be useful in this context.
The pictures in that article do not show encrypted SNI. They seem to
show a standard TLS v1.3 exchange where SNI is not encrypted but the
server certificate is. The article text is not technical/accurate enough
to tell us what exactly is being implemented.
The following draft could be a better source for eSNI information, but
it is far from its final stages, documenting two alternative
implementations, one of which will be eventually removed:
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption
If you have better sources of information about eSNI, please post them.
FWIW, my prediction is that plain SNI will still be available, but it
will become useless for avoiding bumping specific services. Both
solutions in the above draft rely on a "fronting service" that can be
reached using a "generic" bigc.example.com SNI (common to many services
offered by the Big Corporation).
We have started analyzing TLS v1.3 requirements as they apply to Squid,
but I am not aware of any specific work dealing with any of the proposed
eSNI techniques.
HTH,
Alex.
More information about the squid-users
mailing list