[cpressland]

I’d never considered SNI sniffing. Great point. I’m quite fortunate in that the ISP I’m with (AAISP) is fairly privacy first and don’t _appear_ to be snooping on me in any meaningful way.

That said, I can’t say the same for my phone provider.

[judge2020]

> don’t _appear_ to be snooping on me in any meaningful way.

SNI is cleartext enough to be passively logged, so you never know. Maybe some government-mandated (or supplied) switch is logging them to some short-lived log file in case they ever need to pull your hostname history.

Note that SNI sniffing protection is in the works by encrypting the client hello[0]. While it's been in draft for some years now, Chrome has a lot of work being put into it[1], so hopefully it'll be done sometime next year with support within Cloudflare and browsers soon after.

0: https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?includ...

1: https://bugs.chromium.org/p/chromium/issues/detail?id=109140... (comment 20 onwards)

[godelski]

But do you also trust your phone carrier? (I don't trust either my ISP nor my phone) Or when you're out on WiFi that isn't yours? It's a cheap way to add a little extra bit of security and privacy.