1061
submitted 7 months ago by Sunny@slrpnk.net to c/memes@lemmy.ml
you are viewing a single comment's thread
view the rest of the comments
[-] Darkassassin07@lemmy.ca 2 points 7 months ago* (last edited 7 months ago)

But what's not encrypted by either is the Server Name Indicator or SNI, ie: the initial request to a webserver stating which host you're trying to reach at that IP, before establishing the TLS connection, contains the domain you'd requested via DoH/DoT, in plaintext.

[-] Album@lemmy.ca 3 points 7 months ago

encrypted SNI is a thing now.

[-] Darkassassin07@lemmy.ca 4 points 7 months ago

True. Known as Encrypted Client Hello now, as part of TLS1.3.

It seems many more browsers support it than last I'd looked. I'm curious to see how much of the general web has adopted support for it onnthe server side. I'll have to look into that more, and see what it'll take to setup for self-hosting.

[-] WereCat@lemmy.world 1 points 7 months ago

https://www.cloudflare.com/learning/dns/dns-over-tls/

If I understand it correctly DoH (which I use with NextDNS) should prevent ISP from snooping.

[-] Darkassassin07@lemmy.ca 1 points 7 months ago* (last edited 7 months ago)

It will prevent the ISP from snooping on, or tampering with, the DNS request. However when you go to use the IP you've retrieved via DoH/DoT; your first request establishing a TLS connection to that IP will contain an unencrypted SNI which states the domain you are trying to use. This can be snooped on by your ISP.

[-] ShortN0te@lemmy.ml 1 points 7 months ago

That is correct. HSTS helps to some degree but the very first request is still unprotected.

this post was submitted on 23 Apr 2024
1061 points (97.1% liked)

Memes

45746 readers
1606 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS