[1oooqooq]

> “Server Name Indication” (SNI)

into the trash it goes. anyone who support https everywhere and ever slightly tolerates SNI is a fool.

[ajnin]

I don't see why you're opposing HTTPS everywhere and SNI, HTTP already had the Host header so it is not a new information leak.

It's pretty much mandatory if you intend to serve multiple domains with different certificates from the same host/proxy, which seems like a very very common use case, and there is no alternative to this right now.

[1oooqooq]

I don't see how you think NSI doesn't nullify https everywhere.

"we need MitM for performance". listen to yourself. if some optimization breaks security, you do not optimize.

[d-z-m]

> I don't see how you think NSI doesn't nullify https everywhere.

It doesn't. SNI doesn't leak the URL being accessed, or anything that isn't encoded in the hostame.

[d-z-m]

can you elaborate?

[1oooqooq]

SNI = nsa backdoor into https everywhere.

basically it moves private info in the plain text header "for edge performance"

[d-z-m]

> SNI = nsa backdoor into https everywhere.

No. Not even remotely true. If you can write a coherent argument that substantiates this claim then I will address it.