Hacker News new | ask | show | jobs
by Nextgrid 1209 days ago
Until encrypted SNI/encrypted client hello is a thing, the hostname is still sent in the clear.

Also, it can still be DNS blocked - just because you use Cloudflare's DNS doesn't mean they can't rewrite the responses as they still transit unencrypted. You'd have to use DNS-over-HTTPS or DNS-over-TLS to work around that.
2 comments
1vuio0pswjnm7 1209 days ago
If it's TLS1.2, certificates containing CNs and/or SANs are sent in the clear too.
link
foepys 1209 days ago
Luckily, ESNI is being supported by an increasing number of implementations.
link
neilalexander 1209 days ago
I believe China's answer to ESNI is just to block all traffic that attempts to handshake with ESNI, so it still won't necessarily get you anywhere.
link
foepys 1209 days ago
Once everything is using ESNI this isn't a problem anymore. It's the lack of implementation that is currently the problem.
link