Cloudflare announces today support for encrypted Server Name Indication, a mechanism that makes it more difficult to track user's browsing.
A web server can host multiple websites, with all of them sharing the same external IP address. This is possible through virtual hosting, a method that allows splitting the resources among available domain names.
Server Name Indication (SNI) is a component of the TLS protocol that makes it possible for a server to present different TLS certificates that validate and secure the connection to websites behind the same IP address.
An application with SNI support includes the hostname it is trying to reach at the beginning of the handshake process with the server.
This initial conversation in the TLS negotiation process happens in the clear, exposed to every node along the way, allowing an observer to track users or to influence (block, slow down) the connection to websites it does not sympathize.
An encrypted SNI (ESNI) eliminates the risk of exposing the destination name. The ESNI specification is currently available as an experimental design, with a proposed draft set to expire on March 22. It is an extension to the TLS protocol version 1.3 and above, where there is support for delivering the website certificate through the encrypted part of the TLS handshake.
The mechanism works by having the server publish the public key on a Domain Name System (DNS) record that is visible to the client before establishing the connection.
The client can then use the key to encrypt the SNI bit so that it is protected in transit, and decrypted at the destination.
Cloudflare explains that the process for generating an encryption key over an untrusted channel uses the Diffie-Hellman key exchange algorithm.
Even if the ESNI protects the destination of the client, the DNS queries that ask for the IP address of the website are in plain text, hence visible over the network.
Cloudflare gradually adopted a series of technical solutions to get to the stage where it can offer increased privacy to users accessing websites on its infrastructure.
The company added support for DNS of TLS (DoT) and DNS over HTTPS (DoH) and combined it with its own DNS resolving service (22.214.171.124) so that DNS queries are protected from private eyes through encryption.
Recent support for DNSSEC prevents cache poisoning at the resolver level by signing and verifying the responses exchanged between Cloudflare's authoritative server and its resolver.
Despite the benefits of encryption, an attacker can still see the target's destination IP address. This is an area where Cloudflare still has to make improvements.
"Some of our customers are protected by this to a certain degree thanks to the fact that many Cloudflare domains share the same sets of addresses, but this is not enough and more work is required to protect end users to a larger degree," Cloudflare explains in a post shared with BleepingComputer.
The company says that ESNI is enabled for all websites. Since the specification is not in its final stage of development, it is not widely available in client applications.