Cloudflare Launches Encrypted SNI Support

Cloudflare has announced it has rolled out encrypted Server Name Indication (SNI) support that started on September 24th. This feature offers an option to encrypt one of the last plain-text parts of standard web browsing, the SNI field. This field contains the domain name used in an HTTPS connection and is the the only part of an HTTPS connection that a third-party can read. On its own, the SNI cannot be used directly to attack either end of an HTTPS connection, but it still represents a significant piece of information in an otherwise encrypted path.

Currently, no web browsers support ESNI, but Firefox nightlies should have support in the coming days.

When combined with encrypted DNS, such as DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH), and DNSSEC, users can expect complete confidentiality and integrity for all communication above the TCP/IP layer. Cloudflare offers DoH and DoT through their 1.1.1.1 service. Alternatives are Quad9 (DoT only) and Google’s DNS (DoH only). This feature is expected to be included in the Transport Layer Security (TLS) 1.3 spec, which ought to encourage support in all browsers and more hosting providers.