QUICK FACTS
Created Jan 0001
Status Verified Sarcastic
Type Existential Dread
Keywords
client, hostname, ip address, tcp port, public key certificate, virtual hosting, certificate, man-in-the-middle attack

Server Name Indication

“(SNI) is an extension to the Transport Layer Security (TLS) protocol, a cornerstone of modern secure network communication. It’s the digital equivalent of a...”

Contents
  • 1. Overview
  • 2. Etymology
  • 3. Cultural Impact

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) protocol, a cornerstone of modern secure network communication. It’s the digital equivalent of a bouncer at a club who checks your invitation before letting you in. Specifically, SNI allows a client , like your web browser, to announce which hostname it’s trying to reach before the secure connection is fully established. Think of it as shouting out your destination before the taxi driver even starts the engine. This seemingly small detail is crucial because it enables a single server, residing at a single IP address and listening on a specific TCP port , to host multiple secure websites, each with its own unique Public key certificate . Without SNI, this would be akin to trying to run a hundred different businesses out of the same storefront with only one mailbox – chaos. It’s the technological counterpart to HTTP/1.1’s name-based virtual hosting , but for the encrypted world of HTTPS. This also extends to proxies, allowing them to intelligently route client traffic to the correct server during that critical TLS handshake phase. The catch? The hostname you’re trying to reach isn’t encrypted in the original SNI extension. So, while your actual data is safe, a snooper can still peek at which site you’re visiting. This extension was formally specified in 2003 by RFC 3546.

Background of the Problem

Before SNI graced us with its presence, the TLS connection process was a bit of a blunt instrument. When a client initiated a TLS connection, it had no discernible way to tell the server which specific site it intended to visit. Imagine walking into a massive library and asking for a book without specifying the title or author – the librarian would be utterly lost. If a server happened to be hosting multiple websites on a single network listener, it faced the same dilemma: which certificate should it present? The process typically involved the client requesting a certificate from the server. Once the server obliged, the client would dutifully scrutinize it, comparing the requested hostname with the names listed within the certificate. A match meant smooth sailing; a mismatch, however, could trigger warnings, potentially aborting the connection altogether, as it might signal a nefarious man-in-the-middle attack . Some applications, bless their reckless hearts, would allow users to override these warnings, essentially telling them to trust the connection at their own peril.

The fundamental issue was the difficulty, and often impossibility, of obtaining a single certificate that could comprehensively cover every single hostname a server might be responsible for. Servers are often tasked with serving a multitude of domains, and each might require its own distinct certificate. While it’s technically possible to bundle multiple domains under a single certificate using the subjectAltName extension, this approach quickly becomes unwieldy. These “unified communications certificates” would need constant reissuing every time the roster of associated domains changed, a logistical nightmare.

This predicament directly clashed with the elegance of name-based virtual hosting, a technique that allows a single server to manage multiple DNS hostnames from the same IP address. In the realm of HTTP, this works because the server can inspect the Host header sent by the client, which explicitly states the requested hostname. However, with HTTPS, the TLS handshake occurs before any HTTP headers are even visible to the server. This temporal disconnect meant that the server couldn’t leverage the Host header to make an informed decision about which certificate to present. Consequently, only hostnames covered by the same certificate could be efficiently served from a single IP address.

The practical ramification was stark: an HTTPS server was largely confined to serving only one domain, or a very small, tightly grouped set of domains, per IP address if secure and smooth browsing was to be maintained. The alternative – dedicating a unique IP address to each secure website – was prohibitively expensive. Requests for IP addresses needed rigorous justification to regional internet registries, and, crucially, IPv4 addresses have become a scarce commodity. Even with the more abundant IPv6 address space, assigning multiple IPs to a single machine introduced considerable administrative overhead. The net result was that countless websites were effectively discouraged from adopting secure communications, leaving users and their data exposed.

Technical Principles

SNI elegantly sidesteps this entire mess by introducing a mechanism for the client to explicitly state the virtual domain it’s targeting during the initial stages of the TLS negotiation, specifically within the ClientHello message. This preemptive declaration empowers the server to swiftly identify the correct virtual domain and, in turn, present the browser with the certificate that precisely matches the requested name. Consequently, when both the client and server support SNI, a single IP address can host a diverse array of domain names, even when obtaining a universally applicable certificate is impractical.

The formalization of SNI occurred in June 2003 when it was integrated into the IETF ’s collection of Internet RFCs via RFC 3546, titled “Transport Layer Security (TLS) Extensions.” The standard has since evolved, with the current iteration being RFC 6066.

Security Implications

It’s crucial to understand that the payload of the Server Name Indication extension is not encrypted. This means that the hostname the client is attempting to connect to remains visible to any passive observer monitoring the network traffic. This inherent vulnerability has been exploited by various entities for network filtering and monitoring purposes, and more consequentially, by governments to implement internet censorship.

In response to this privacy concern, several technologies have emerged with the aim of obscuring the Server Name Indication.

Domain Fronting

Domain fronting is a clever technique that involves replacing the intended hostname within the SNI field with a different one. This alternative hostname is either hosted by the same server or, more commonly, belongs to a large network of servers, such as a content delivery network (CDN). When a client employs domain fronting, it sends the obscured, unencrypted domain name in the SNI, but retains the original, intended domain name within the HTTP Host header. The TLS encryption then shields the Host header, ensuring the server receives the correct request and serves the appropriate content. However, domain fronting can be seen as a violation of the SNI standard itself, leading to compatibility issues. Many services actively check if the SNI hostname matches the Host header and will reject connections that appear to be domain-fronted as invalid. While domain fronting was once a popular method for circumventing government censorship, its effectiveness has waned as major cloud providers, including Google and Amazon’s AWS and CloudFront, have explicitly prohibited its use in their terms of service and implemented technical restrictions against it.

Encrypted Client Hello

Encrypted Client Hello (ECH) is a protocol extension designed for TLS 1.3 and later versions. Its primary function is to encrypt the entire ClientHello message, which is exchanged in the early stages of the TLS 1.3 negotiation. ECH achieves this by encrypting the payload using a public key that the relying party, typically a web browser, must possess beforehand. This requirement makes ECH most effective when deployed with large CDNs whose keys are known to browser vendors in advance.

The precursor to ECH was an extension introduced in 2018 called Encrypted SNI (ESNI). ESNI focused specifically on encrypting just the SNI portion of the ClientHello, rather than the entire message. Implementations of ESNI were rolled out experimentally to mitigate the risk of domain eavesdropping. Support for ESNI was integrated into Firefox in October 2018, but it necessitated enabling DNS over HTTPS (DoH). However, this version was eventually removed in January 2021 with the release of Firefox 85.

Following analysis that demonstrated encrypting only the SNI was insufficient, ESNI underwent a significant revision in March 2020 and was renamed Encrypted Client Hello (ECH). The rationale behind this change was that other extensions within the ClientHello message could still leak information. For instance, the Pre-Shared Key extension, used for session resumption, could potentially contain a cleartext copy of the server name, undermining the privacy goals of ESNI. Furthermore, encrypting extensions individually would require a corresponding encrypted variant for every extension, each with its own potential privacy implications, and even then, the set of advertised extensions could still be exposed. Real-world deployments of ESNI also revealed interoperability challenges. The name briefly changed to ECHO in March 2020 before settling on ECH in May 2020.

A notable characteristic of both ESNI and ECH is their exclusive compatibility with TLS 1.3. This is because they rely on the KeyShareEntry mechanism, which was first defined in TLS 1.3.

Further development has introduced an Internet Draft that proposes a parameter for transmitting ECH public keys via HTTPS and SVCB DNS record types . This aims to streamline the handshake process.

The implementation of these privacy-enhancing measures has not been without its challenges and geographical variations. In August 2020, the Great Firewall of China began blocking ESNI traffic, although it initially allowed ECH traffic. Around the same time, in October 2020, Russian ISPs Rostelecom and Tele2 started blocking ESNI traffic. This followed a September 2020 announcement by the Russian censorship ministry, Roskomnadzor, of plans to ban various encryption protocols, including TLS 1.3 and ESNI, which were seen as impediments to web site access control.

As of July 2023, at the IETF117 meeting, developers working on ECH indicated that Chrome and Firefox were initiating a 1% sample trial. The team anticipated submitting the final draft for evaluation by the IESG by January 2024. In September 2023, Cloudflare announced support for ECH for domains hosted on its platform.

ECH is now enabled by default in Firefox starting with version 119, and Mozilla recommends its use in conjunction with DNS over HTTPS . In September 2023, Chromium version 117, which powers Google Chrome , Microsoft Edge , Samsung Internet , and Opera , also enabled ECH by default. This implementation, however, requires keys to be deployed in HTTPS resource records within DNS.

Implementation

The journey of SNI from concept to widespread adoption involved significant development efforts. In 2004, the EdelKey project released a patch to integrate TLS/SNI support into OpenSSL , a widely used cryptographic library. This patch was subsequently integrated into the development branch of OpenSSL in 2006 and then back-ported to the stable OpenSSL 0.9.8 release series in 2007. The first web browsers to offer SNI support emerged in 2006, including Mozilla Firefox 2.0 and Internet Explorer 7. Web server support, while lagging slightly, began to appear later, with Apache HTTP Server gaining SNI capabilities in 2009 and Microsoft IIS following suit in 2012.

For an application to leverage SNI, two conditions must be met: the underlying TLS library it uses must support SNI, and the application itself must be programmed to pass the hostname information to that library. The complexity is further amplified by the fact that TLS libraries can be either embedded directly within an application or exist as components of the operating system. This architectural variation explains why some browsers exhibit SNI support across all operating systems, while others only support it on specific platforms.

Support

The adoption and implementation of SNI, and more recently ECH, vary across different software and platforms. The following table provides a snapshot of support for these crucial technologies.

| Software | Type | SNI Supported | Notes | Since | ECH Supported | Notes

This comprehensive table, though extensive, serves to illustrate the pervasive nature of SNI and the ongoing efforts to bolster privacy through ECH. It highlights the intricate web of software and protocols that underpin our digital interactions and the continuous evolution required to maintain security and privacy in an ever-changing landscape.