From: gtaylor@tnetconsulting.net   
      
   On 12/3/24 00:14, Lawrence D'Oliveiro wrote:   
   > Nobody uses PKI.   
      
   Um....  I think I'm one of many, Many, MANY people that will have to   
   disagree with you on hat one.   
      
   > TLS has a hole in it, in that the SNI, “Server Name Indication”   
   > (the “Host:” line in the HTTP request header) has to be sent   
   > unencrypted.   
      
   Two flags on the play:   
      
   1)  Encrypted SNI is a thing.   
      
   2)  "the "Host:" line in the HTTP request header" is *NOT* the SNI.  The   
   Host: header is part of the HTTP request that's inside of the TLS   
   connection.   
      
   The SNI hello message does include something similar, but it's not the   
   Host: header.  And there's also ESNI to protect it.   
      
   > This allows eavesdroppers, like authoritarian Government regimes,   
   > to determine when you are trying to access a prohibited service,   
   > and block it before the encrypted connection can be set up.   
      
   Those are examples of the very things that ESNI is designed to defend   
   against.   
      
   Link - What is encrypted SNI? | How ESNI works | Cloudflare   
     - https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/   
      
   ECH also looks promising.   
      
      
      
   --   
   Grant. . . .   
      
   --- SoupGate-DOS v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)