[kul_]

Isnt' SNI based on the 'Host' header?! This is a news for me that SNI is not encrypted in TLS. Its a problem with the protocol not the ISPs then.

[cmeacham98]

To determine which certificate to use the web server needs the client to send it the domain.

To send the domain securely the client needs to know the public key of the certificate the server is using.

This chicken and egg problem has gone unresolved for a long time, and only now are there efforts to fix it (see the work on esni).

[Polylactic_acid]

Encrypted SNI has been in talks for a long time now. It was meant to be out now but it was shot down at the last minute. And yes, its the last thing that allows a MitM to work out which site you are on if its hosted on a shared hosting platform. Likely this is the reason its hard to get approved.