Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Modern TLS is enough to prevent others from eavesdropping everything except domain names when on public WiFi. Domain names are sent in clear text if your client supports SNI.


A trail of DNS names is more than enough to know what somebody is up to.


You could use DoH, which you should do anyway. No reason to leak DNS lookups to anyone.


DoH alone is not enough due to https://en.wikipedia.org/wiki/Server_Name_Indication being sent in plain text. Some day ECH (formerly, eSNI) should help with that.


I thought TLSv1.3 already encrypted the SNI?


No. ESNI is an later-created extension to TLS 1.3


It does


ESNI is not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev mode.

All SNIs are passed as plain text to your ISP/VPN, even with DoH/TLS secure DNS enabled.


you'll always be leaking it to whoever you are sending your query to.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: