Fixing the privacy gap: Cloudflare rolls out encrypted SNI

US company introduces more privacy protocols to its networks

Cloudflare has announced it is now supporting Encrypted Server Name Indication (ESNI) in an effort to “fix” the privacy gap faced by internet users.

The cloud hosting and security company will now offer ESNI across its networks, it said in a blog post yesterday, to further protect internet surfers’ right to privacy.

SNI, which was standardized in 2003, is an extension to Transport Layer Security (TLS) that allows multiple secure websites to be served on the same IP address.

It comes in handy due to the limited amount of IP addresses that are available, but SNI does not come without its own faults.

In order to establish an encrypted connection with the right credentials, SNI transmits the domain name of the website you want to visit in plaintext.

This means that an on-path observer – such as the user’s internet service provider (ISP) or a public WiFi host – can view the server name and track which sites they are visiting.

Encrypted SNI helps prevent this by masking the server name during SNI, meaning even though the ISP can view the connection they cannot see which domain the user is trying to access.

Allesandro Ghedini of Cloudflare explains: “Encrypted SNI, together with other internet security features already offered by Cloudflare for free, will make it harder to censor content and track users on the internet.”

ENSI is expected to be rolled out in Mozilla’s Firefox Nightly browser by the end of this week.

Steps to security

The new feature is promising, but doesn’t come without its drawbacks.

Firstly, a whole host of other infrastructure needs to be in place for ESNI to fully mask the users’ browsing habits.

It will only work as an extension to TLS versions 1.3 and above, and the device must be using a secure Domain Name System (DNS) service, such as DNS over TLS and DNS over HTTPS.

Therefore, your resolver must also validate DNSSEC signatures.

As Cloudflare points out, a malicious hacker could also poison a DNS resolver’s cache and inject malicious data by intercepting the conversation between the resolver and the authoritative DNS server.

Moreover, the user’s IP address will still be available to on-path observers, who can look at the destinations on the traffic from a user device.

Ghedini wrote: “Some of our customers are protected by this to a certain degree thanks to the fact that many Cloudflare domains share the same sets of addresses, but this is not enough and more work is required to protect end users to a larger degree.”

It remains to be seen what effect this will have on content filters implemented by ISPs in order to block access to child abuse images and content.

These filters can also be repurposed to block copyrighted content, such as websites hosting pirate movies.

But if Cloudflare’s latest efforts prove to be successful, it could spell the end to these ISP-controlled blockers which could one day become obsolete.