On Sat, 6 Jul 2019 09:55:53 +1200, Peter Reutemann quoted:
'An industry group of internet service providers has branded Firefox browser maker Mozilla an “internet villain” for supporting a DNS security standard.'
Reading the user comments on this <https://www.theregister.co.uk/2019/07/06/mozilla_ukisp_vallain/>, I found a link to this <https://www.cloudflare.com/ssl/encrypted-sni/> interesting browser-security checker. You may be familiar with “virtual hosting”, where a bunch of different websites get to share the same public IP address (because the number of public websites long ago exceeded the number of available IPv4 addresses, at any rate). When the browser connects to the server, it sends a “Server Name Indication” (“SNI”, actually just a “Host:” HTTP header line) to indicate what website it is expecting to connect to. This line is sent unencrypted, even when connecting to an https:// URL, because you cannot negotiate a secure connection until you have contacted the actual site in question, since the encryption key comes from the certificate, which is tied to the domain name. The solution to this is called “Encrypted SNI” <https://blog.cloudflare.com/encrypted-sni/>, where an initial encryption key is published via the secure DNS, so it can be used right from the start of the TLS handshake. This way, no eavesdropper can tell what host name you are trying to connect to.