Don't panic about domain fronting, an SNI fix is getting hacked out

Alternative proposed to sending server names in cleartext


Over the weekend, at the IETF Hackathon in Montreal, Canada, software engineers from Apple, Cloudflare, Fastly and Mozilla made some progress toward closing a privacy gap affecting network communications.

The programmers built an preliminary implementation of a privacy-oriented draft protocol called Encrypted Server Name Indication, or ESNI, which expands on TLS 1.3, the most recent version of Transport Layer Security.

The Server Name Indication (SNI) is a TLS extension that enables client code to transmit a virtual domain name during the TLS negotiation process. It allows a server with a single IP address to support multiple virtual domains, instead of having a separate IP address for each TLS host.

SNI, however, does not conceal the requested hostname, a consequence that has privacy implications. For example, when the hostname can be read from the "server_name" extension in the ClientHello message, it can be used by intermediaries for censorship.

ENSI solves this problem by replacing the "server_name" extension in the ClientHello message with an "encrypted_server_name" during connections to domains served by ENSI-supporting providers. The hosting biz can decrypt the hostname but network providers along the way and national firewalls can't.

Other consequences of SNI visibility include content filtering by DNS providers or enterprise firewalls and traffic discrimination (assigning different quality-of-service profiles to specific types of data).

Servers implementing the draft protocol can be found at esni.examp1e.net and cloudflare-esni.com. Support for ESNI can be found in BoringSSL (maintained by Google), Mozilla's Network Security Services (NSS) and picotls.

Hacking a permanent solution

In a phone interview with The Register, Matthew Prince, co-founder and CEO of Cloudflare, said SNI "really is one of the last chinks in the encryption armor."

Boy fixing computer with hammer

Google kills off domain fronting – and so secure comms just got tougher

READ MORE

After Cloudflare launched its 1.1.1.1 privacy-focused DNS resolver in April, Prince said there were concerns among engineers at Cloudflare and Mozilla about the visibility of SNI. After the IETF failed to settle on a path forward, Prince said there was enough interest at Apple, Google and Mozilla to try to come up with a working implementation, in the hope of driving the standards process forwards.

"We've got enough scale and breadth on our side," he said.

"If browser makers will support this, we should be able to come up with a working implementation of encrypted SNI."

Until recently, a handful of privacy-focused communications tools like Signal relied on a technique known as domain fronting to conceal requested hostnames as a defense against censorship.

But cloud service providers like Amazon and Google recently revised their policies and technology to disallow domain fronting, to the dismay of human right activists.

Prince explained that domain fronting is a hack. "The right long-term solution is to encrypt the SNI request," he said.

Another yet-to-be closed privacy gap, Prince said, is ability to discover the destination of a request from the IP address.

"Unless you use something like Tor, you'll never be able to hide the destination IP address," said Prince.

But at large service providers like Cloudflare, it's possible to reassign IP addresses for the sake of privacy. Prince said the company already does this to some extent, shifting customers from one IP address to another, but the process isn't as random as it could be. He suggested it might become more so. ®

Broader topics


Other stories you might like

  • Big Tech silent on data privacy in post-Roe America
    We asked what they will do to prevent cases being built against women. So far: Nothing

    Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.

    These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.

    Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.

    Continue reading
  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading

Biting the hand that feeds IT © 1998–2022