What is encrypted SNI, and how does it relate to censorship?
4 min read
Encrypted SNI (ESNI) solves a fairly delicate privacy drawback when visiting websites hosted on cloud providers. Traditional SNI directs you to the correct websites by instructing cloud providers which content you want to access. However, its main downside is the lack of encryption, meaning that SNI information typically travels in plaintext. Encrypted SNI can make information about your internet visits more private. In turn, it also became a potential tool for bypassing censorship and attempts to throttle access to specific content.
Table of Contents
Table of Contents
What is SNI?
SNI (Server Name Indication) is a process necessary for opening the correct websites safely during browsing. When a web server hosts multiple websites, they all share an IP address. SNI steps in to clearly instruct which domain a user has requested access to. However, experts have noted its vulnerable nature and how it leaves a privacy hole while browsing.
How does SNI work?
If we were to consider the TLS handshake, the first message would be “client hello.” This means that you can request to see a specific website and ask for the TLS (formerly SSL) certificate. The web server must then serve a reply, including the TLS certificate. The problem with one web server hosting multiple websites is that the transferred certificate must be correct. The connection to the desired website will fail if it accidentally delivers the wrong one. SNI is the feature that resolves this problem. It pinpoints the website you want to visit and helps serve the appropriate certificate.
However, SNI has one issue. This process occurs at the beginning of the TLS handshake before encryption happens. Thus, the information about which website you are trying to visit remains visible in plaintext. People monitoring the connection (your ISP or network managers) could retrieve information about your browsing habits. This privacy hole applies even if the rest of your communication is encrypted correctly.
What is encrypted SNI?
Encrypted SNI is a process that ensures eavesdroppers are unable to capture the SNI information. This privacy technology encrypts the SNI part of the “client hello” message. However, this secure communication must meet several requirements. The encrypted SNI only works if the client and the server have the key for encryption and decryption.
An important note is that the “client hello” message traverses before the client and server have successfully “shaken hands.” Thus, the key exchange must occur in another manner, like via public-key cryptography. This means that web owners attach a public key to their DNS record. Then, once clients request the correct IP address for the website they want to access, they additionally retrieve the server’s saved public key.
Specialists also soon noticed that encrypting only the SNI part of the “client hello” message is an insufficient practice. Thus, it became necessary to revise the encrypted SNI, and this process led to ECH (Encrypted Client Hello). The latter focused on encrypting the entire “client hello” message, not only the SNI.
What does encrypted SNI have to do with censorship and throttling?
Encrypted SNI could prevent governments or other entities from banning or throttling access to content based on SNI. For instance, Russia did precisely that in 2021. It targeted Twitter-related domains by throttling access to them. According to reports, the blocklisted websites were throttled to 128 kbps. In this case, Russia relied on SNI to obstruct access to websites containing “t.co,” “twimg.com,” and “twitter.com.” Thus, encrypted SNI (possibly combined with other tools) could have enabled access to Twitter normally.
Sadly, governments known for strict access control have already reacted to this privacy technology. In 2020, China upgraded its national censorship tool. Essentially, it revamped its Great Firewall to hinder HTTPS traffic set up with TLS 1.3 and ESNI. Russia had announced similar plans to ban TLS 1.3, ESNI, DNS over TLS, and DNS over HTTPS. Since encrypted SNI is visible, entities can block such traffic. However, even if China and several Russian ISPs and mobile operators block ESNI, they currently do not hinder ECH.
What does it mean for you?
Encrypted SNI essentially makes it far more difficult to capture users’ habits online. It could mean that ISPs or network providers have fewer means to track users and their online routines. Without a doubt, encrypted SNI and ECH are a big part of elevating privacy. However, it is only one of the ways to ensure that. For instance, even with enabled ESNI, encrypted DNS records are necessary. If they are not present, snoopers could still learn a lot about your browsing.
Until more browsers and websites support encrypted SNI or ECH, you should consider other means of protection. Even if encrypted SNI becomes more prominent, it is best to use multiple techniques to stay safe online. For instance, a VPN can help you cover your tracks in the digital space. It makes your browsing experience far more private and prevents snoopers from spying on you. However, remember that your security and privacy online do rely on your habits. You should be careful and continue to raise your cybersecurity awareness.
