Hacker Newsnew | past | comments | ask | show | jobs | submit | hnasr's commentslogin

I published this video to discuss the uber article in details. In the video I also referenced other HN threads that discusses the article as well from 2016. I think there are still lessons that can be learned in 2020


A great step indeed for websites that use static IP for a single resource. Websites that uses Server Name Indication TLS extension for shared hosting force clients to send the hostname in plain-text during TLS handshake which could be sniffed. (Reliance Jio in India is already doing it https://cis-india.org/internet-governance/blog/reliance-jio-...).

The Same thing OCSP Stapling (Online Certificate Status Protocol) extension which also sends the hostname.

Cloudflare crafted a solution for this by storing the public key of the target website along with the DNS record. So during DoH when the user asks for IP of a given host, it can also get the public key of the host. User then establishes the TCP, encrypt the SNI extension & OCSP with the public key and starts the TLS handshake.

Though ESNI doesn't seem to provide perfect forward secrecy it is a leap forward.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: