Yesterday, Mozilla announced that Firefox Nightly now supports encrypting the TLS Server Name Indication (SNI) extension. This prevents on-path observers from intercepting the TLS SNI extension and using it to determine which websites users are visiting.
Why SNI is needed?
SNI is required when multiple servers are sharing the same IP address. It is an extension to the TLS protocol using which clients are able to indicate which hostname they are attempting to connect to. This permits servers to present multiple certificates on the same IP address and TCP port number. To put this in simple words, SNI helps make large-scale TLS hosting work.
How encrypted SNI (ESNI) works
- First, a public key is published by the server on a well-known DNS record, which is then fetched by the client before connecting.
- Next, the client replaces the SNI extension in the ClientHello with an encrypted SNI extension. The encrypted SNI is basically, the original SNI extension, but encrypted using a symmetric encryption key derived using the server’s public key.
- The server owns the private key and derives the symmetric encryption key as well. It can then decrypt the extension and therefore terminate the connection or forward it to a backend server).
Since the encryption key can only be derived by the client and the server it is connecting to, encrypted SNI cannot be decrypted and accessed by third parties.
How you can enable encrypted SNI (ESNI)
Currently, ESNI is not supported for all the Firefox users. However, Firefox Nightly users can try out this feature by following these steps:
- First, ensure that you have DNS over HTPPS (DoH) enabled. To do that you can check out this article posted by Mozilla.
- Next, you need to set the network.security.esni.enabled preference in about:config to true.
Head over to Mozilla Security Blog to read more about encrypted SNI.