undefined | Better HN

0 pointsagileAlligator3y ago0 comments

> HTTPS typically still have the site domain in clear due to SNI.

Can you eli5 that please?

0 comments

5 comments · 2 top-level

_0w8t3y ago· 3 in thread

To support multiple sites per IP the browser has to send DNS name of the site to the web server. Moreover, since certificates that the server uses for encryption depends on the site name, the name cannot be encrypted within HTTPS. So the browser sends the name in clear when initiating the connection. This is called SNI, server-name-identification.

It is possible to encrypt SNI, but most sites do not support that as the setup is non-trivial and error-prone.

agileAlligatorOP3y ago

Huh

So HTTPS doesn't really stop tracking, it only prevents people from snooping on what data you are sending to and receiving from the website

rayhaanj3y ago

There has been some work on encrypted server name indication: https://www.cloudflare.com/learning/ssl/what-is-encrypted-sn...

hnzix3y ago

I use CloudFlare's 1.1.1.1 DNS to mitigate my ISP tracking the domains I visit. They have an iPhone app too. I don't know enough about the space to say whether it's 100% effective.

1 more reply

astrange3y ago

https://www.cloudflare.com/learning/ssl/what-is-encrypted-sn...

j / k navigate · click thread line to collapse