Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Right now there are no benefits though. Because the browser sends the domainname you contact unencrypted via the TLS handshake due to SNI. So someone listing in to your communication will learn the hostname anyway.

I know people are working on encrypted SNI but that will take time.



Of course there are benefits.

Assume a large entity willing to do some mass surveillance (NSA, ...). Now with unencrypted DNS this entity just has to MITM a link on the last hop of a few DNS providers (Google, Cloudflare) and voila, the IP's of the clients and the domains visited are pouring in.

With encrypted DNS, for an entity to get the same amount of information they need to MITM a much larger amount of links.

Though I agree the benefits are clearly limited, the idea is to eliminate all weak links. If there are 2 broken windows in your house and you can fix one - why not do it?


> Right now there are no benefits though.

In terms of privacy, I would mostly agree. Using an authenticated channel to your resolver still protects against many common MitM vectors, so there's definitely a benefit there. Unlike DNSSEC, you're not dependent on the target domain being in the small subset of DNSSEC-enabled domains, not to mention that most client resolvers won't validate DNSSEC anyway.


Encrypted SNI will take years before it is in common usage.

If you're that concerned about privacy, you better use a VPN.


Not necessarily.

CDNs have been doing, and keep doing a great job at pushing new things forward.

Fastly, Cloudflare and Akamai already have implementations and test websites.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: