Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation


Cloudflare Improves Privacy by Encrypting the SNI During TLS Negotiation

Cloudflare, Inc. is a U.S. company that provides content delivery network services, DDoS mitigation, Internet security and distributed domain name server services, sitting between the visitor and the Cloudflare user’s hosting provider, acting as a reverse proxy for websites.

Cloudflare was created in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn, who had previously worked on Project Honey Pot. Cloudflare was launched at the September 2010 TechCrunch Disrupt conference.

Cloudflare announces today support for encrypted Server Name Indication, a mechanism that makes it more difficult to track user’s browsing.

A web server can host multiple websites, with all of them sharing the same external IP address. This is possible through virtual hosting, a method that allows splitting the resources among available domain names.

Server Name Indication (SNI) is a component of the TLS protocol that makes it possible for a server to present different TLS certificates that validate and secure the connection to websites behind the same IP address.

An application with SNI support includes the hostname it is trying to reach at the beginning of the handshake process with the server.

This initial conversation in the TLS negotiation process happens in the clear, exposed to every node along the way, allowing an observer to track users or to influence (block, slow down) the connection to websites it does not sympathize.






Enter Encrypted Server Name Indication


An encrypted SNI (ESNI) eliminates the risk of exposing the destination name. The ESNI specification is currently available as an experimental design, with a proposed draft set to expire on March 22. It is an extension to the TLS protocol version 1.3 and above, where there is support for delivering the website certificate through the encrypted part of the TLS handshake.

The mechanism works by having the server publish the public key on a Domain Name System (DNS) record that is visible to the client before establishing the connection.

The client can then use the key to encrypt the SNI bit so that it is protected in transit, and decrypted at the destination.

Cloudflare explains that the process for generating an encryption key over an untrusted channel uses the Diffie-Hellman key exchange algorithm.






Taking care of loose ends


Even if the ESNI protects the destination of the client, the DNS queries that ask for the IP address of the website are in plain text, hence visible over the network.

Cloudflare gradually adopted a series of technical solutions to get to the stage where it can offer increased privacy to users accessing websites on its infrastructure.

The company added support for DNS of TLS (DoT) and DNS over HTTPS (DoH) and combined it with its own DNS resolving service ( so that DNS queries are protected from private eyes through encryption.

Recent support for DNSSEC prevents cache poisoning at the resolver level by signing and verifying the responses exchanged between Cloudflare’s authoritative server and its resolver.









Highest Selling Technical Courses of Indian Cyber Security Solutions:

Certified Ethical Hacker Training in Bhubaneswar

Ethical Hacking Training in Bhubaneswar

Certified Ethical Hacker Training in Bangalore

Ethical Hacking Training in Bangalore

Certified Ethical Hacker Training in Hyderabad

Ethical Hacking Training in Hyderabad

Python Training in Bangalore

Python Training in Hyderabad

Python Training in Bhubaneswar

Microsoft Azure Training in Hyderabad

Microsoft Azure Training in Bangalore

Microsoft Azure Training in Bhubaneswar

Networking Training in Bangalore

Networking Training in Hyderabad

Networking Training in Bhubaneswar

Advance Python Training in Hyderabad

Advance Python Training in Bangalore

Advance Python Training in Bhubaneswar

Amazon Web Services Training in Hyderabad

Amazon Web Services Training in Bangalore

Amazon Web Services Training in Bhubaneswar

Certified Ethical Hacker Certification – C | EH v10

Computer Forensic Training in Kolkata

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Testing training

Ethical Hacking  training

Internet Of Things Training

Data Analysis

Internet Of Things Training Hyderabad

Internet Of Things Training in Bhubaneswar

Internet Of Things Training in Bangalore

Embedded System Training

Digital Marketing Training

Machine Learning Training

Python Programming training

Android Training in Bangalore

Android Training in Hyderabad

Android Training in Bhubaneswar

Diploma in Network Security Training

Android Development  training

Secured Coding in Java

Certified Network Penetration Tester 

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advance Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 


Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Web Penetration Testing Company in Bangalore

Network Penetration Testing – NPT

Network Penetration Testing Service in Bangalore

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery


Other Location for Online Courses: