Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation
Cloudflare, Inc. is a U.S. company that provides content delivery network services, DDoS mitigation, Internet security and distributed domain name server services, sitting between the visitor and the Cloudflare user’s hosting provider, acting as a reverse proxy for websites.
Cloudflare was created in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn, who had previously worked on Project Honey Pot. Cloudflare was launched at the September 2010 TechCrunch Disrupt conference.
Cloudflare announces today support for encrypted Server Name Indication, a mechanism that makes it more difficult to track user’s browsing.
A web server can host multiple websites, with all of them sharing the same external IP address. This is possible through virtual hosting, a method that allows splitting the resources among available domain names.
Server Name Indication (SNI) is a component of the TLS protocol that makes it possible for a server to present different TLS certificates that validate and secure the connection to websites behind the same IP address.
An application with SNI support includes the hostname it is trying to reach at the beginning of the handshake process with the server.
This initial conversation in the TLS negotiation process happens in the clear, exposed to every node along the way, allowing an observer to track users or to influence (block, slow down) the connection to websites it does not sympathize.
Enter Encrypted Server Name Indication
An encrypted SNI (ESNI) eliminates the risk of exposing the destination name. The ESNI specification is currently available as an experimental design, with a proposed draft set to expire on March 22. It is an extension to the TLS protocol version 1.3 and above, where there is support for delivering the website certificate through the encrypted part of the TLS handshake.
The mechanism works by having the server publish the public key on a Domain Name System (DNS) record that is visible to the client before establishing the connection.
The client can then use the key to encrypt the SNI bit so that it is protected in transit, and decrypted at the destination.
Cloudflare explains that the process for generating an encryption key over an untrusted channel uses the Diffie-Hellman key exchange algorithm.
Taking care of loose ends
Even if the ESNI protects the destination of the client, the DNS queries that ask for the IP address of the website are in plain text, hence visible over the network.
Cloudflare gradually adopted a series of technical solutions to get to the stage where it can offer increased privacy to users accessing websites on its infrastructure.
The company added support for DNS of TLS (DoT) and DNS over HTTPS (DoH) and combined it with its own DNS resolving service (22.214.171.124) so that DNS queries are protected from private eyes through encryption.
Recent support for DNSSEC prevents cache poisoning at the resolver level by signing and verifying the responses exchanged between Cloudflare’s authoritative server and its resolver.
Highest Selling Technical Courses of Indian Cyber Security Solutions:
Cybersecurity services that can protect your company:
Other Location for Online Courses: