[seodisparate]

Out of curiosity, I once used wireshark to examine packets from my own system which was configured to use DNS over HTTPS (using dnscrypt-proxy). I discovered that the hostname of the server is in plaintext in a header of a packet separate of the DNS query packets. I think this is due to verification of HTTPS certs, but not sure. By what I've discovered, AFAIK that to completely obscure the server's hostname from the currently used ISP, a VPN (or proxy) is probably necessary.

[tialaramex]

As well as SNI which is mentioned in an existing thread, it's possible you were seeing OCSP the Online Certificate Status Protocol. This is particularly likely if the packet was going to a completely different server.

OCSP is a plaintext (the answers are actually signed but they aren't encrypted) protocol to assure your client that the certificate it's looking at hasn't been revoked.

The correct fix for privacy is that OCSP Stapling should be used. Instead of clients fetching OCSP answers and thereby revealing who they're talking to, the server should pre-emptively fetch OCSP answers about its own certificates, and "staple" the latest good answer to its certificate, saying "Look, here's proof my certificate is still good". This stapled answer is then provided to the client, over the encrypted TLS connection, since OCSP is signed the client can trust this stapled answer and needn't fetch it themselves.

DoH servers should definitely have OCSP stapling. I'm sure the big famous ones do.

[aaomidi]

Alternatively we could get shorter lifetime certificates. I hope for a day where ocsp becomes unnecessary because certs are only valid for a day or two.

[hannob]

This is a TLS mechanism called SNI and yes, it's there to make sure one server can deliver multiple different hosts over TLS.

There's a mechanism called Encrypted ClientHello (ECH), formerly known as ESNI, that tries to address this. Ultimately using either DoH or ECH only provides limited protection, the idea is to use both.

[seodisparate]

Oh I see, thanks for the reply. I did a quick search and came upon https://blog.cloudflare.com/encrypted-client-hello/ which does shed light on ECH. Though I am not sure if only Cloudflare-backed servers provide ECH, or if it is even available. Seems relatively new.

EDIT: Ah, the blog post does indicate that ECH is a work in progress.

[tialaramex]

It is likely that ECH will be a GREASEd "big bang" deployment for various practical reasons.

What that means is, one day you'll get a new browser update and from then all your TLS connections will seem to use ECH, however, since most servers don't speak ECH most of your connections will have an unencrypted Hello as usual and then the ECH payload they carry is actually random noise.

Then, gradually over time, sites do have ECH and the connections to those sites use a cover name in the outer Hello with the real name protected by ECH instead of noise in the ECH data.

I would anticipate this beginning probably in the next 12-18 months once ECH is nailed down completely and ready to be published.

[newscracker]

Note that ECH must be supported on both ends. So it’s required on the browser (or OS or application) too.

[mercora]

while it is easy to see the desired hostname for an SSL connection that makes use of SNI it is also very easy to simply connect to the address someone is communicating with and see what certificate is presented to you. it probably even works by just intercepting it... that keeps being practical as long as non SNI enabled connection or let alone ECH enabled ones are expected to work as well...

[tialaramex]

Unless it deliberately doesn't need a name (e.g. DoH servers like 1.1.1.1 or 8.8.8.8) TLS servers have no reason to respond to connections that don't specify a name with anything other than confused dismay. "Um, who are you calling?".

It's a misfeature of some common web server software that you get a "default" web site as if this was still 1998 and your web browser might not know about HTTP 1.1 yet. The specification doesn't suggest doing this as far as I know and it has caused numerous security problems.

Likewise ALPN. The client has to say which ALPNs they'd accept for this connection if any, and the server just picks one. The server is under no obligation to hint that it knows any particular ALPN or to let you connect without specifying.

[mercora]

what i do is somewhat like you suggest. if haproxy cant determine which hostname it should serve it responds with a "503 Service Unavailable". However, if i expect someone to be able to actually receive that i still need to present a certificate to the client. i use wildcard certificates for this reason. the server wont tell you what names would actually work... you could just terminate connections or signal some kind of handshake error immediately instead though... most sites and services aren't likely to do that as its not very helpful in figuring out why it went wrong or explicitly will try to make it work for clients not supporting this. that's why i noted it being practical as long as incompatible clients are expected to work...

[tialaramex]

TLS has a specific error "alert" unrecognised_name (112) that servers should send if the client doesn't provide a name they recognise (or indeed doesn't provide a name at all and they expected one).

If a web browser connects without specifying a name and it hoped to reach some.nonsense.example your wildcard certificate doesn't help it and it won't display your 503 Service Unavailable error, you aren't some.nonsense.example, it cannot proceed, so you shouldn't bother trying to "help".

[mercora]

that's interesting i will investigate how to make use of that, thanks :)

EDIT: its really pretty easy to do apparently[0] although only unconditionally as it seems...

[0] https://cbonte.github.io/haproxy-dconv/2.4/configuration.htm...