Yesterday, Mozilla announced that Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension. This prevents on-path observers from intercepting the TLS SNI extension and using it to determine which websites users are visiting.
Why SNI is needed?
SNI is required when multiple servers are sharing the same IP address. It is an extension to the TLS protocol using which clients are able to indicate which hostname they are attempting to connect to. This permits servers to present multiple certificates on the same IP address and TCP port number. To put this in simple words, SNI helps make large-scale TLS hosting work.
How encrypted SNI (ESNI) works
- First, a public key is published by the server on a well-known DNS record, which is then fetched by the client before connecting.
- Next, the client replaces the SNI extension in the ClientHello with an encrypted SNI extension. The encrypted SNI is basically, the original SNI extension, but encrypted using a symmetric encryption key derived using the server’s public key.
- The server owns the private key and derives the symmetric encryption key as well. It can then decrypt the extension and therefore terminate the connection or forward it to a backend server).
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime
Since the encryption key can only be derived by the client and the server it is connecting to, encrypted SNI cannot be decrypted and accessed by third parties.
How you can enable encrypted SNI (ESNI)
Currently, ESNI is not supported for all the Firefox users. However, Firefox Nightly users can try out this feature by following these steps:
- First, ensure that you have DNS over HTPPS (DoH) enabled. To do that you can check out this article posted by Mozilla.
- Next, you need to set the network.security.esni.enabled preference in about:config to true.
Head over to Mozilla Security Blog to read more about encrypted SNI.
Is Mozilla the most progressive tech organization on the planet right now?
Google Chrome, Mozilla Firefox, and others to disable TLS 1.0 and TLS 1.1 in favor of TLS 1.2 or later by 2020
Mozilla announces $3.5 million award for ‘Responsible Computer Science Challenge’ to encourage teaching ethical coding to CS graduates
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
