642

Say (an encrypted) hello to a more private internet. (blog.mozilla.org)

submitted 1 year ago by buh@lemmy.world to c/firefox@lemmy.ml

64 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] TiffyBelle@feddit.uk 97 points 1 year ago

All well and good, but sadly this relies on the hosts managing DNS to include specific entries in their DNS configuration for keys to use during the encryption process. Unfortunately the vast majority of hosts probably won't be bothered to do this, similar to DNSSEC.

[-] pazukaza@lemmy.ml 1 points 1 year ago

Wouldn't it be better if reverse proxies simply had a "default key" meant to encrypt the SNI after an unencrypted "hello" is received?

Including DNS in this seems weird.

[-] p1mrx@sh.itjust.works 1 points 1 year ago

What would stop a MITM attacker from replacing the key? The server can't sign the key if it doesn't know which domain the client is trusting.

load more comments (25 replies)

this post was submitted on 03 Oct 2023

642 points (98.9% liked)

Firefox

17302 readers

390 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago

MODERATORS

k_o_t@lemmy.ml