Those random domains belong to Tor relays. The list of relays is public anyway so you can just look at the IP address to see that it's a Tor connection. Obfuscating it would achieve nothing. If you want to hide that you are using Tor you should use a bridge. https://bridges.torproject.org/

All true, but the question I am asking is why SNI is needed. For example, if the domains are bogus and the certificates are not obtained from a CA that checks domain registrations. What is the purpose.

Are these bogus domain names unique to each Tor user. Why not use ECH.

IIRC it just should look like normal TLS traffic. They are unique to each of the already public Tor relays not the users. What benefit would ECH bring? You can still look at the IP and know it's Tor.

All the "let's hide that it's Tor" work is done with pluggable transports [0] used in combination with unlisted relays (bridges). This way there can be multiple completely different protocols like obfs4 (looks completely random), Snowflake (uses WebRTC), meek (uses domain fronting) and WebTunnel (WebSockets over https) without a need to update the Tor spec and all relays.

[0]: https://spec.torproject.org/pt-spec/architecture-overview.ht...

Still not getting an answer why SNi is needed. Will have to read the code. Usually SNI is needed to "choose the correct certificate" but that seems inapplicable here. The plaintext servernames observable on the wire appear to be bogus. Maybe certificates are generated on the fly. Who knows. Thought someone might have an answer.

According to the spec [0] it looks like SNI is not needed. It just specifies a TLS connection. Why does it send an SNI? I guess because basically everything does it so why should Tor not send it?

[0]: https://spec.torproject.org/tor-spec/negotiating-channels.ht...

"... why should Tor not send it?"

Why not send the string "Hi there! I'm using Tor." Why not. Tor is annoucing itself with a unique TLS fingerprint anyway.

"Why not" was not the question I asked. IMO, it's a different question than asking "Why".

SNI has been used for censorship. Perhaps this is why the servername is apparently dynamic rather than static. I do not know. There could be many answers to "Why not". We might not know all of them. I certainly will never know all of them.

I am not arguing for or against sending SNI. I have had that debate too many times on HN.

TLS1.3 encrypts the handshake and ECH encrypts SNI. The folks who did that work on TLS thought it was worth doing. What was their reason. Was it "Why not encrypt the handshake and the servername."

Why encrypt DNS. Many people cite privacy as a reason. Yet HN commenters will routinely claim that they can determine (with no significant, additional effort) what sites someone is accessing because they can see the IP addresses on the wire. If so, then why try to make DNS private.

Why encrypt DNS and at the same time send plaintext domainnames on the wire via SNI. A significant portion of the web is still using TSL1.2 so the DNS names in the certificate are sent plaintext in the handshake as well. Why not just use unencrypted DNS. Everyone else is doing it.

No doubt Apple and others who have implemented "push notifications" thought "Why not" when they saw no need to be concerned about people sniffing the traffic.

As a user, I'm not a fan of all the noise on the wire from Apple and so-called "tech" companies. I'm generally not interested in the "features" and "conveniences" they are pushing. (No pun intended.) Plugging in a computer with an OS from one of these so-called "tech" companies usually results in it immediately trying to connect to remote server(s) without any input from the computer owner.

This is why I like NetBSD. Generally everything is off by default. It's up to me to decide what I want to automate.

Plain Tor says "Hi there! I'm connecting to a Tor node" because all relay IPs are public. You can't hide that fact with ECH or by not sending the SNI. Every second invested in that is just wasted.

And of course I never suggested anyone could. Despite that I provided links to a couple of past discussions that show people are well-aware using "plain Tor" is not something anyone can hide, you keep trying to reframe the question I asked into something else, a debate whether using Tor is detectable or not. Who cares. Tell us something we do not already know.

Why is Tor sending SNI. What is the purpose. It's a simple question. That is all I am asking.

For example, CDNs use SNI to host many HTTPS-enabled sites on a limited number of IP addresses. Why is Tor using SNI.

I've looked it up for you. "IIRC it just should look like normal TLS traffic." and "because basically everything does it" was correct.

"/* Browsers use the TLS hostname extension, so we should too. */"

Thanks. That's not much of a reason. These domain names are not fooling anyone. Just looking at them one can see they are faked up, not normal at all. Plus there is no corresponding DNS lookup. And not all traffic is browsers. Will have to edit this out and recompile tor daemon.