From: ldo@nz.invalid   
      
   On Wed, 4 Dec 2024 19:17:08 -0600, Grant Taylor wrote:   
      
   > On 12/3/24 23:49, Lawrence D'Oliveiro wrote:   
   >   
   >> That cert depends on the domain name.   
   >   
   > No, not quite.   
   >   
   > The domain name can be used to inform which cert the server should use,   
      
   Which part of “depends on” are you having trouble with?   
      
   > and that's EXACTLY what Server Name Indication (a.k.a. SNI) is.  SNI is   
   > part of TLS.   
      
   Which cannot be sent encrypted over HTTP because HTTP encryption   
   hasn’t been set up yet.   
      
   > Also, consider protocols that don't send a Host: header (as HTTP does)   
   > still using SNI to indicate which domain name is being connected to.   
      
   They don’t do “virtual hosting”, where multiple domains share the same   
   IP address, and is an important feature of HTTP. That’s why there is a   
   specific problem with that.   
      
   There are two rival specs for solving this: DNS-over-TLS, and   
   DNS-over-HTTPS. DNS-over-TLS (DoT) is a separate protocol that can be   
   identified as such by firewalls, while DNS-over-HTTPS (DoH) is   
   essentially indistinguishable from any other HTTPS traffic.   
      
   DoH has become quite controversial. On the one hand, corporates who   
   want to control traffic on their networks for security reasons hate   
   it. But on the other hand, it can be useful to bypass restrictions for   
   those who live under certain authoritarian regimes. You can’t have   
   it both ways.   
      
   Mozilla decided to go for DoH, for which a British association of ISPs   
   called them a “villain”   
   .   
      
   --- SoupGate-DOS v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)