Does SNI represent a privacy concern for my website visitors?

Posted by pagliuca on Server Fault See other posts from Server Fault or by pagliuca
Published on 2012-10-19T19:56:05Z Indexed on 2012/10/19 23:05 UTC
Read the original article Hit count: 239

Filed under:
|
|
|

Firstly, I'm sorry for my bad English. I'm still learning it. Here it goes:

When I host a single website per IP address, I can use "pure" SSL (without SNI), and the key exchange occurs before the user even tells me the hostname and path that he wants to retrieve. After the key exchange, all data can be securely exchanged. That said, if anybody happens to be sniffing the network, no confidential information is leaked* (see footnote).

On the other hand, if I host multiple websites per IP address, I will probably use SNI, and therefore my website visitor needs to tell me the target hostname before I can provide him with the right certificate. In this case, someone sniffing his network can track all the website domains he is accessing.

Are there any errors in my assumptions? If not, doesn't this represent a privacy concern, assuming the user is also using encrypted DNS?

Footnote: I also realize that a sniffer could do a reverse lookup on the IP address and find out which websites were visited, but the hostname travelling in plaintext through the network cables seems to make keyword based domain blocking easier for censorship authorities.

© Server Fault or respective owner

Related posts about ssl

Related posts about https